HP ProCurve Threat Management Solution Implementation Guide 2009-05

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

431

432

433

434

435

436

437

438

439

440

C-95

Configure VPNs Using the HP ProCurve Threat Management Services zl Module

Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients

g. For Destination, leave Any Address or specify the local gateway IP address.

For this example, select the LocalGateway address object.

h. Click Apply.

i. For From, select Self.

j. For To, select the remote zone. For this example, select External.

k. For Service, select ipsec-nat-t-udp.

l. For Source, leave Any Address or specify the local gateway IP address.

For this example, select the LocalGateway address object.

m. For Destination, specify Any Address.

If you know the public addresses of all of your remote endpoints, you could create a

named object with those addresses and specify that object here.

n. Click Apply.

6. Permit traffic from the remote endpoints to local endpoints. In this example, you want to

apply different access policies based on the remote user’s group:

a. Click Close.

b. For User Group, select one of the groups to which remote users authenticate. For this

example, select EmployeesA.

c. Click Add a Policy.

d. For Action, leave the default, Permit Traffic.

e. For From, select the IKE mode config zone. For this example, select Zone1.

f. For To, select the local zone. For this example, select Internal.

g. For Service, leave Any Service.

This is the most basic configuration. You could create access policies that permit only

certain types of traffic.

h. For Source, specify the virtual addresses assigned to remote clients. For this example,

select the ModeConfigAdds address object. (You could also specify the addresses

manually.)

i. For Destination, specify the local addresses that the remote endpoints are allowed to

reach. For this example, select Loc

alEndpoints.

j. Click Apply.

k. Click Close.

l. For User Group, select another groups to which remote users authenticate. For this

example, select EmployeesB.

m. Click Add a Policy.

n. In this example, you want to exclude these employees from a server that holds

sensitive data. For Action, select Deny Traffic.

o. For From, select the IKE mode config zone. For this example, select Zone1.

p. For To, select the local zone. For this example, select Internal.

q. For Service, leave Any Service.

This is the most basic configuration. You could create access policies that deny only

certain types of traffic.

r. For Source, specify the virtual addresses assigned to remote clients. For this example,

select the ModeConfigAdds address object. (You could also specify the addresses

manually.)

s. For Destination, specify the prohibited local address. For this example, click Options,

select Enter custom IP, IP/mask or IP-Range, and then type 192.168.4.20.