HP TMS zl Module Security Administrator’s Guide
© Copyright 2011 Hewlett-Packard Development Company, LP. All Rights Reserved. Publication Number 5998-2556 Disclaimer The information contained in this document is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statement accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Contents 1 Managing TMS zl Modules Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 NIM TMS Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 TMS zl Module Web Browser Interface Comparison . . . . . . . . . . . . . . 1-5 TMS zl Module Manual Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Manually Enabling Management Through PCM+/NIM . . . . . . . . .
Contents Creating an HA Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create the Cluster in NIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Import an HA Cluster Into NIM . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding a Device to an HA Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Removing a Module from an HA Cluster . . . . . . . . . . . . . . . . . . . . . . . Removing a Module Using NIM . . . . . . . . . . . . . .
Contents Configuring Firewall Zone Properties . . . . . . . . . . . . . . . . . . . . . . . . . To configure a management zone: . . . . . . . . . . . . . . . . . . . . . . . . . To rename a zone: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Access Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . To Create an Access Policy: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . To Prioritize Access Policies: . . . . . . . . . . . .
Contents IPsec Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10 Tunnel Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10 Transport Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11 Authentication and Encryption Algorithms . . . . . . . . . . . . . . . . . . . . . 4-11 IPsec Security Associations (SAs) . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Configuring an IPsec Site-to-Site VPN Between TMS zl Modules—Deploy IPsec Site-to-Site VPN Wizard . . . . . . . . . . . . . . . Create Named Objects for the VPN (Optional) . . . . . . . . . . . . . Run the Deploy IPsec Site-to-Site Wizard . . . . . . . . . . . . . . . . . . Create Access Policies for the TMS zl Modules in the IPsec Site-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Verify Routes for TMS zl Modules in the IPsec Site-to-Site VPN . . . . .
Contents Configure a GRE Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create Named Objects (Optional) . . . . . . . . . . . . . . . . . . . . . . . . Create a GRE Tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create Access Policies for a GRE Tunnel . . . . . . . . . . . . . . . . . . Verify that a Route to the Remote Tunnel Gateway Exists . . . Configure a GRE over IPsec VPN with IKE . . . . . . . . . . . . . . . . . . . .
Contents Managing IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing an IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Editing an IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deleting IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing IPsec Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing an IPsec Proposal . . . . . . .
1 Managing TMS zl Modules Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 NIM TMS Management Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 TMS zl Module Web Browser Interface Comparison . . . . . . . . . . . . . . 1-5 TMS zl Module Manual Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Manually Enabling Management Through PCM+/NIM . . . . . . . . .
Managing TMS zl Modules HA Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Failover Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration and Boot Order for HA Members . . . . . . . . . . . . . Linking Inter-Chassis Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . Updating Cluster Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing TMS zl Modules Introduction Introduction Network usage has skyrocketed with the expansion of the Internet, wireless, and convergence technologies. This increases the burden on network managers working to control network usage. Also, the complexity of large networks makes it difficult to control network access and usage by individual users.
Managing TMS zl Modules Introduction 1-4 ■ TMS - Firewall features are explained in Chapter 2, “Managing TMS zl Firewalls”. ■ TMS - IPS features are explained in Chapter 3, “Configuring a TMS zl Module as an IPS”. ■ TMS - VPN features are explained in Chapter 8, “Configuring a VPN on the TMS zl Module”.
Managing TMS zl Modules Introduction TMS zl Module Web Browser Interface Comparison There are some features that can be configured on the TMS zl Modules via the TMS zl Module Web browser interface but cannot be configured via NIM. These include: ■ DNS ■ DHCP relay ■ Firewall, Application Level Gateways (ALGs) ■ Routing For information on configuring these features on the TMS zl Modules, please see the HP Threat Management Services zl Module Management and Configuration Guide available at: www.hp.
Managing TMS zl Modules Introduction 3. Configure an IP address for the module in the Management VLAN and allow the switch to have access via that VLAN. You do not need to configure an IP address for the module in the HA VLAN if you are using NIM to create the HA cluster. 4. Enable SNMPv2 or SNMPv3, and configure the SNMP communication parameters. Remember these settings because you will configure them for PCM.
Managing TMS zl Modules Introduction 1. Right click the TMS zl Module entry in the navigation tree. 2. Select Device Access. 3. Select Communication Parameters in PCM. 4. Click Next in the welcome window. 5. In the Configure the settings window, select SNMP Settings and click Next. 6. In the Configure SNMP Timeout and Retries window, you can accept the default settings or modify them as you would like. Then, click Next. 7. In the Configure SNMP Version window, select the SNMPv3.
Managing TMS zl Modules Introduction Manually Enabling Management Through PCM+/NIM To manually enable management through PCM+/NIM, you must first configure some settings on the TMS zl Module: 1. Associate the PCM+/NIM server’s VLAN with a zone, preferably a management-access zone. 2. If the PCM+ server is not in a management-access zone, configure firewall access policies to permit at least ICMP/Echo, SNMP, SNMP traps, Telnet, SSH, and HTTPS traffic to the PCM+ server.
Managing TMS zl Modules Introduction Testing the SNMP Communications Before proceeding with the rest of the TMS zl Module configuration, you should test that the SNMP communications between the module and PCM are configured and operating correctly. To test the SNMP communications: 1. Right click the module in the PCM navigation tree. 2. In the menu, select Device Access. 3. In the submenu, select Test Communication Parameters in PCM, and a Testing Communication Parameters window is displayed.
Managing TMS zl Modules Viewing TMS zl Network Settings Viewing TMS zl Network Settings Some TMS zl network settings like Zones and Authentication apply to modules used for Firewall, IPS, and VPN operations. Therefore, these settings are shown as subtabs under the TMS-Network tab. Viewing Zones The Zones subtab on the TMS-Network tab is displayed when the TMS zl folder or a specific TMS zl module is selected in the navigation tree. Figure 1-2.
Managing TMS zl Modules Viewing TMS zl Network Settings Viewing Authentication The Authentication subtab on the TMS-Network tab is also displayed when the TMS zl folder or a specific TMS zl module is selected in the navigation tree. Figure 1-3.
Managing TMS zl Modules Viewing TMS zl Network Settings L2TP Users The L2TP Users subtab on the TMS-Network > Authentication tab displays the following information for all L2TP users configured on the selected TMS zl Module(s): User Name Name of User access policy Authentication Protocol Protocol used to authenticate L2TP users User Group Group to which the L2TP user is assigned Server Address IP address of the server User Address IP address that the remote client uses on the tunnel RADIUS Domain
Managing TMS zl Modules Viewing TMS zl Network Settings RADIUS Related Configuration The RADIUS Related Configuration subtab on the TMS-Network > Authentication tab displays the following information for all RADIUS servers configured on the selected TMS zl Module(s): RADIUS Authenticated Protocol Protocol used for RADIUS authentication Use RADIUS to authenticate L2TP clients Whether RADIUS server is used to authenticate L2TP clients L2TP Server IP Address IP address of the L2TP server RADIUS Servers
Managing TMS zl Modules Viewing TMS zl Network Settings Viewing High Availability Clusters Selecting the TMS zl folder displays the TMS-High Availability tab. This tab lists all HA clusters that are configured in NIM or imported into NIM after being configured through the TMS zl Module CLI or Web browser interface. Figure 1-4. TMS-High Availability Tab This tab displays the following information for each HA cluster: Cluster ID Number used to identify the cluster (1-16).
Managing TMS zl Modules Viewing TMS zl Network Settings Clicking on one of the clusters displays additional summary information at the bottom of the window as shown in Figure 1-5. As noted in this area, this information is updated when the display is refreshed and may not be current. Figure 1-5. Cluster Summary Information Clicking the View ... button for a cluster displays real time details of the cluster configuration, as shown in Figure 1-6 on the next page.
Managing TMS zl Modules Viewing TMS zl Network Settings Figure 1-6.
Managing TMS zl Modules Synchronizing TMS zl Properties Synchronizing TMS zl Properties The Synchronize TMS zl Properties updates TMS zl properties in PCM with the current properties from the selected TMS zl Module or modules. Use TMS - Synchronize Properties to obtain the current attributes of a TMS zl Module (instead of the Re-Discover Device function). To synchronize the TMS zl properties of one or more TMS zl Modules: 1. 2.
Managing TMS zl Modules Synchronizing TMS zl Properties 3. Click the Properties tab, and select the properties to synchronize and click the Move >> button to move them to the Selected Properties panel. The available properties are described in Table 1-1, “TMS zl Properties for Synchronizing,” on page 1-19. Figure 1-8. Synchronize TMS zl Properties, Select Properties 4. Click OK. A progress window will be displayed.
Managing TMS zl Modules Synchronizing TMS zl Properties Table 1-1.
Managing TMS zl Modules Configuring TMS zl Zones Configuring TMS zl Zones Based on the operating mode of the TMS zl Module, you can either configure VLANs for the selected zones or configure management zones. Management zones are zones from which TMS zl Module configuration is allowed. Based on the VLANs associated with zones, management access (SSH, Web UI, SNMP) is allowed or denied to users.
Managing TMS zl Modules Configuring TMS zl Zones 3. Click Next. Figure 1-10. Zone Configuration Wizard, Select VLAN Configuration 4. Select VLAN Configuration as the zone configuration action and click Next. Figure 1-11.
Managing TMS zl Modules Configuring TMS zl Zones 5. Select the modules to be configured: a. If displayed, use the Available Devices drop-down list to select the Agent managing the TMS zl module. b. In the Available Devices list, highlight each TMS zl module that you want to configure. c. Click >> to move the selected modules to the Selected Devices pane. d. To remove a selected module, highlight the module in the Selected Devices list and click <<. e. Click Next. Figure 1-12.
Managing TMS zl Modules Configuring TMS zl Zones Figure 1-13. Zone Configuration Wizard, Configure VLANS and IP Addresses 7. Configure the VLANs and IP addresses for the zone: a. In the Selected VLANs list, highlight the VLAN you want to associate to the zone. To display VLANs configured in a module double-click the folders. b. Use the Zone drop-down list to select the zone where the VLAN will be associated. Selecting a zone activates the remaining fields.
Managing TMS zl Modules Configuring TMS zl Zones f. Click Next. Figure 1-14. Zone Configuration Wizard, Summary 8. 9. Complete the wizard: a. Ensure the information displayed on the Summary window reflects the modules and correct configuration changes. b. To permanently save these configuration changes on the module, check the Save Configuration check box. c. To synchronize the configuration changes to the Participant module, check the Synchronize changes to participant checkbox.
Managing TMS zl Modules Configuring TMS zl Zones Configuring a Management Zone 1. Navigate to the Zone Wizard: a. Right-click the TMS zl folder or a TMS zl module in the navigation tree. b. Select TMS-Network from the drop-down list. c. Select Zone Wizard from the TMS-Network drop-down list. 2. Optionally, when the wizard appears, click Click here to refresh now to update PCM with the current zone settings on all the TMS zl Modules discovered by PCM. 3. Click Next. 4.
Managing TMS zl Modules Configuring TMS zl Zones Figure 1-15. Zone Configuration Wizard, Select Management Zones c. 7. 1-26 Click Next. Ensure the Summary information is correct and complete the wizard. a. Ensure the information displayed in the Summary window reflects the modules and correct configuration changes. b. To permanently save these configuration changes on the module, check the Save Configuration check box. c.
Managing TMS zl Modules Configuring Authentication Configuring Authentication The TMS zl Module provides security for your network by requiring users to authenticate to the network and requiring authorization for users to access specific resources and services. From the TMS - Network tab > Authentication subtab, NIM allows you to configure user groups and users, and to configure RADIUS servers that the TMS zl Modules would use for user authentication.
Managing TMS zl Modules Configuring Authentication 3. Click Next. Figure 1-17. Manage Users Wizard, Main Menu 4. Select Group for the Managed Object and Add for the Action, and click Next to create a user group. 5. Select the modules where the user group will be configured: Figure 1-18.
Managing TMS zl Modules Configuring Authentication 6. a. If displayed, use the Available Devices drop-down list to select the Agent managing the TMS zl module. b. In the Available Devices list, highlight each TMS zl module where you want to configure the group. c. Click >> to move the selected module to the Selected Devices pane. d. To remove a selected module, highlight the module in the Selected Devices list and click <<. e. Click Next. Configure the User Group: Figure 1-19.
Managing TMS zl Modules Configuring Authentication 7. Ensure the Summary information is correct and complete the wizard. Figure 1-20. Manage Users Wizard, Summary 8. 1-30 a. Ensure the information displayed in the Summary window reflects the modules and correct configuration changes. b. To permanently save these configuration changes on the module, check the Save Configuration check box. c.
Managing TMS zl Modules Configuring Authentication 9. Deploy your changes to the selected module: Figure 1-21. Manage Users Wizard, Apply Settings a. To end the process before it completes, click Halt. The process will be ended as soon as the property currently being configured is complete. b. To display a summary listing whether the users or user groups were configured on the device, click Summary. c.
Managing TMS zl Modules Configuring Authentication Deleting a User Group To delete a user group, perform the same steps as when adding a user group with the following exceptions: 1. In the Manage Users Main Menu window, select Group for the Managed Object, and Delete for the Action. 2. In the Select Group/User Objects window, select the group to be removed. 3. After selecting the device and group to be removed, a confirmation prompt appears. Click Ok to remove the user group.
Managing TMS zl Modules Configuring Authentication 5. Configure the user: Figure 1-22. Manage Users Wizard, Configure Firewall/XAUTH User a. In the Selected Device list, select the device or user group where the user will be added. All devices with at least one user group and one available user are displayed. If you select a device, all available user groups will be listed in the User Group field. b.
Managing TMS zl Modules Configuring Authentication b. Note To permanently save these configuration changes on the module, check the Save Configuration check box. 7. Click Next to deploy your changes to the selected module. 8. Click Close to close the wizard. If the device(s) on which this configuration change is applied becomes a Master module in a high-availability cluster, these configuration changes will not be automatically synchronized to the Participant.
Managing TMS zl Modules Configuring Authentication 5. Configure the user: Figure 1-23. Manage Users Wizard, Configure L2TP User a. Select the TMS zl Module on which the user will be configured. b. In the User field, type the name of the L2TP user. c. In the Password and Confirm Password fields, type the password that the L2TP user will enter when logging in. You must enter the same password in both fields. d.
Managing TMS zl Modules Configuring Authentication h. In the Primary DNS Server field, type the IP address of the DNS server used to translate IP addresses to a more user-friendly host name. i. In the Secondary DNS Server field, type the IP address of the backup DNS server used when the primary DNS is unavailable. j. In the Primary WINS Server field, type the IP address of the WINS server used to translate NetBIOS names. k.
Managing TMS zl Modules Configuring Authentication Modifying Users To modify a Firewall/AUX or L2TP user, perform the same steps as when adding a user with the following exceptions: 1. In the Manage Users Main Menu, select Firewall/AUX User or L2TP User for the Managed Object, and Modify for the Action. 2. After selecting the device(s), you will be prompted to select the group and user to be modified. Select the user and proceed as explained in “Configuring Firewall/XAUTH Users” on page 1-32.
Managing TMS zl Modules Configuring Authentication Manage RADIUS Domains 1. 1-38 Navigate to the Manage RADIUS Domain(s) configuration screen by one of these methods: • In the PCM navigation tree, right click the TMS zl folder or the TMS zl Module being configured, and select TMS - Network > Manage RADIUS Domain. • Left click the TMS zl folder or the TMS zl Module being configured. Then, click on the TMS - Network tab > Authentication subtab > RADIUS Domain sub-subtab.
Managing TMS zl Modules Configuring Authentication Figure 1-24. Manage RADIUS Domains 5. In the Manage RADIUS Domain(s) window, in the left pane, select the TMS zl Module being configured, and complete the configuration: • In the RADIUS Domain field, type the name of the domain where the RADIUS server is located. • In the IP Pool Range fields, type the beginning and ending IP addresses in the range of IP addresses that will be assigned to L2TP addresses.
Managing TMS zl Modules Configuring Authentication c. 9. To synchronize the configuration changes to the Participant module, check the Synchronize changes to participant checkbox. Click Next to deploy your changes to the selected module. 10. Click Close to close the wizard. Manage RADIUS Settings To configure a single module: 1.
Managing TMS zl Modules Configuring Authentication To configure multiple modules: 1. Navigate to the Manage RADIUS Settings window by one of these methods: • In the PCM navigation tree, right click the TMS zl folder, then click TMS - Network > RADIUS Settings. • In the PCM navigation tree, left click the TMS zl folder, then click TMSNetwork tab > Authentication subtab > RADIUS Related Configuration subtab, and then click on the Manage RADIUS Settings button in the toolbar. Figure 1-26.
Managing TMS zl Modules Configuring Authentication d. 3. 4. To remove a selected module, highlight the module in the Selected Devices list and click <<. Complete the RADIUS configuration for the selected module(s). a. In the Authentication Protocol field, use the drop-down list to select the authentication method to be used. b. To use a RADIUS server to authenticate L2TP clients, check the Use RADIUS to Authenticate L2TP Clients check box and type the IP address of the L2TP server. c.
Managing TMS zl Modules Configuring Authentication Configuring RADIUS Servers The TMS zl Modules can be configured to operate with RADIUS servers to authenticate users. You can use NIM to identify the RADIUS servers that the TMS zl Modules will use. 1. 2. To configure the RADIUS server information, navigate to the Firewall Properties Wizard by one of these methods: • Right click on the TMS zl folder or on a specific TMS zl Module in the PCM navigation tree.
Managing TMS zl Modules Configuring Authentication 3. Configure the RADIUS server identification. Figure 1-28. Firewall Properties Wizard, Configure RADIUS Server 4. 1-44 a. To identify the RADIUS server that the TMS zl Modules that will use for authentication, click the ADD button at the top left of the Server List pane. b. In the Server Address field in the RADIUS Server Settings pane, type the IP address of the RADIUS server to be configured. c.
Managing TMS zl Modules Configuring Authentication 5. Complete the wizard: a. Ensure the information displayed on the Summary window reflects the modules and correct configuration changes. b. To permanently save these configuration changes on the module, check the Save Configuration check box. c. If the TMS zl Module being configured is the Master in an HA cluster, you should synchronize this configuration change to the Participant module.
Managing TMS zl Modules Configuring High Availability Clusters Configuring High Availability Clusters Two TMS zl Modules can work together in a High Availability (HA) cluster, which provides high availability and redundancy in the rare event of a module failure. The modules in the HA cluster share connection state information. Should one module fail, the other module assumes most of its active connections, and the system is up and running again in a few seconds.
Managing TMS zl Modules Configuring High Availability Clusters HA Architecture Overview Two TMS zl Modules can be clustered for HA. The two modules can be in the same switch chassis (intra-chassis cluster) or in two different switch chassis (inter-chassis cluster). Only one HA cluster per switch chassis is supported. When HA is enabled, the module's internal port 2 becomes an untagged member of the HA VLAN and is dedicated to HA traffic.
Managing TMS zl Modules Configuring High Availability Clusters The Master module and Participant module have the same configuration except for IP addresses. In active-standby mode, the Master handles all network traffic, so the Participant does not have any IP addresses on the TMS VLANs. Because of this, you cannot access the Web browser interface for the Participant. Any configuration changes must be made to the Master and then synchronized to the Participant.
Managing TMS zl Modules Configuring High Availability Clusters ■ When another cluster member begins to come online, it detects the cluster Master and reboots, using the cluster Master's startup-config as its own. When it comes online again, it is the cluster Participant. ■ The TMS VLAN settings that were configured on the cluster Participant before becoming a cluster member are permanently erased.
Managing TMS zl Modules Configuring High Availability Clusters ■ It is highly recommended that other network devices not be placed between the switch chassis that contain the cluster members to reduce the risk of link failure.
Managing TMS zl Modules Configuring High Availability Clusters PCM navigation tree. An HA cluster created using the NIM Create Cluster function automatically removes the Participant device. You must select the “TMS zl” group in the PCM Navigation Tree and then select the cluster’s Master module to view the Participant device status.
Managing TMS zl Modules Configuring High Availability Clusters ■ Any modification to the policy configuration (add, modify or delete) that is stored on the Master and synchronized to the Participant requires a reboot of the Participant. Execute the synchronization process at the end of all policy configuration changes.
Managing TMS zl Modules Configuring High Availability Clusters c. 2. Save the configuration of the future Participant as this allows you to quickly reconfigure the module if you have at some point removed it from the cluster. The configuration is lost when you remove the module from the cluster.
Managing TMS zl Modules Configuring High Availability Clusters and whose VLAN information has been has been discovered and/or synchronized, will be displayed in the list. The modules can be either in the same switch or different switches in the same network. 1-54 c. Select different device IDs for the Master and Participant. d. Enter a device priority (1-255).
Managing TMS zl Modules Configuring High Availability Clusters Figure 1-30. Create an HA Cluster Configure one or both modules that will be members of the HA cluster. You can add the second module later, but the HA cluster will not be useful until two modules are assigned to it.
Managing TMS zl Modules Configuring High Availability Clusters 7. Select whether to boot both modules, or just the Master module: Booting Both Modules: To immediately create an HA cluster with the selected modules, ensure it is an appropriate time to reboot the devices and keep the checkbox next to the word Participant checked. HP recommends rebooting both modules so that the cluster is formed as soon as the devices are rebooted.
Managing TMS zl Modules Configuring High Availability Clusters Import an HA Cluster Into NIM HA clusters can be configured via either the TMS zl Module CLI or Web browser interface. However, until the following procedures are performed, the cluster will not be shown in NIM, and it cannot be managed by NIM. Note For clusters configured in NIM, the Participant modules are automatically removed from the PCM navigation tree and are not visible in the Devices List.
Managing TMS zl Modules Configuring High Availability Clusters Figure 1-31. Import HA Cluster, Synchronize TMS Properties 3. Once the Master module is discovered, in the navigation tree right click on the Master module and select TMS - Synchronize Properties from the menu. 4. In the Synchronize TMS Properties window, click on the System folder and click the Move >> button to move all the items in that folder to the Selected Properties pane. The window will look similar to the one in Figure .
Managing TMS zl Modules Configuring High Availability Clusters Note For clusters that are created by the TMS zl Module CLI or Web browser interface and imported into NIM, once the cluster is formed, the Participant module will continue to be displayed in the navigation tree, with an indication that the module is not reachable. You can remove that module from the display without affecting the operation of the cluster by using the PCM Delete Device function: 1.
Managing TMS zl Modules Configuring High Availability Clusters Note that the Participant will be rebooted at the end of the process and it joins the cluster. Until the reboot is completed, displays of the information for the cluster will show that there is no Participant. 1-60 b. Click OK to start the process to add the Participant to the cluster. c. A progress bar is shown, which is replaced by Completed successfully when the cluster is created.
Managing TMS zl Modules Configuring High Availability Clusters Figure 1-32.
Managing TMS zl Modules Configuring High Availability Clusters • If you select Add the device as Master by creating a new cluster, the window shows just the fields to configure the Master module, as shown in the figure below. Select a unique Cluster ID and fill in the rest of the configuration fields. Then click OK. Figure 1-33. Add Device as Master to New Cluster Note that the Master will be rebooted at the end of the process and it joins the cluster.
Managing TMS zl Modules Configuring High Availability Clusters Removing a Module from an HA Cluster You may need to remove a module from a cluster for a number of reasons including: ■ You want to deploy the module in another location in the network, or for another purpose. ■ New software must be loaded on the module (requires removing the module from the cluster first). ■ You want to replace the module with a newer version.
Managing TMS zl Modules Configuring High Availability Clusters Note If you want the current Master module in a cluster to remain as the active module with the current configuration, you must first cause a failover to the Participant module (by booting the Master module) so that the Participant module becomes the new Master module. Now when the Master module is removed, it will actually be the prior Participant module, and the prior Master module remains. Figure 1-34. Remove Device from Cluster 1-64 3.
Managing TMS zl Modules Configuring High Availability Clusters module becomes reachable from NIM. If there is no Participant module, the IP address is lost and the TMS zl module will be unreachable. Access to the TMS zl module via NIM, the Web UI, or Telnet will not work. You must telnet into the CLI of the switch where the TMS zl Module is inserted.
Managing TMS zl Modules Configuring High Availability Clusters Modifying an HA Cluster Use the Modify Cluster function to modify properties of an existing cluster and device-specific properties of the members of the cluster. If no clusters are known by the NIM TMS management, this menu item will be disabled. To modify an HA cluster: 1-66 1. Synchronize the TMS zl properties of the Master module in the cluster.
Managing TMS zl Modules Configuring High Availability Clusters Figure 1-35.
Managing TMS zl Modules Configuring High Availability Clusters Removing an HA Cluster You can remove a whole HA cluster using only NIM, which results in the configurations of the Master and Participant modules being reversed. Alternatively, you can remove the cluster by using a combination of the TMS zl Module CLI and NIM, which preserves the cluster configuration on the original Master module. In both cases, when the process completes, the cluster is no longer operational.
Managing TMS zl Modules Configuring High Availability Clusters 5. The Remove High Availability Cluster window displays the list of HA clusters that NIM TMS management has detected. Figure 1-36. Remove HA Cluster 6. Select the cluster to be removed and click OK. 7. A progress window is shown. When the cluster removal is completed, Completed successfully will be shown for both of the modules. The cluster removal process will be completed once the modules are rebooted. 8.
Managing TMS zl Modules Configuring High Availability Clusters From there, go to the TMS zl Module CLI context and to the configuration level, and reconfigure the IP address of the module by giving the configuration commands: vlan ip address write memory After the commands are applied, the TMS zl Module will have the IP address you just assigned it and no longer be part of the cluster.
Managing TMS zl Modules Configuring High Availability Clusters Synchronizing the HA Cluster or HA Configuration The Synchronize HA Cluster and Synchronize HA Configuration functions are used to copy the complete configuration from the Master to the Participant and execute a Write Memory on the Participant. When this operation completes successfully, the Participant reboots automatically. Both Synchronize HA Cluster and Synchronize HA Configuration perform essentially the same function.
Managing TMS zl Modules Configuring High Availability Clusters Figure 1-37. Synchronize HA Cluster 1-72 2. Select the cluster to be synchronized. Information about that cluster is displayed below the cluster list. 3. Select one of the two synchronization options that are available: • Synchronize (copy) the last saved configuration on the Master to the Participant -- this option will result in copying the last saved configuration for the Master to the Participant.
Managing TMS zl Modules Configuring High Availability Clusters Synchronize HA Configuration 1. To navigate to the Synchronize HA Configuration window: a. In the navigation tree, right-click the Master TMS zl Module in the HA cluster that you want to synchronize. b. Select TMS-High Availability from the menu. c. Select Synchronize Configuration from the sub menu. This option is disabled if the selected module does not belong to an HA cluster. The following dialog is displayed: Figure 1-38.
2 Managing TMS zl Firewalls Contents Viewing Firewall Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Viewing Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8 Connection Allocations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9 Connection Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10 Port Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing TMS zl Firewalls Configuring NAT Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . To Create a NAT Policy: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . To Prioritize NAT Policies: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . To Delete a NAT Policy: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Port Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing TMS zl Firewalls Viewing Firewall Configurations Viewing Firewall Configurations Once PCM automatically discovers TMS zl Modules in your network, you can view information about them, configure them as any combination of Firewalls or IPSs, and monitor alerts and actions taken in response to threats detected by the modules. Simply select the TMS zl node or a specific TMS zl Module in the PCM navigation tree, and click the TMS-Network, TMS-Firewall, TMS-IPS, or TMS-HA Clusters tabs.
Managing TMS zl Firewalls Viewing Firewall Configurations The TMS-Firewall tab is displayed when the TMS zl node or a TMS zl module is selected in the PCM navigation tree. This tab contains subtabs listing firewall policies and rules and is used to view firewall policies for all discovered modules in one place or configure firewall policies on multiple modules in a single action.
Managing TMS zl Firewalls Viewing Firewall Configurations Access Policies Subtab: This subtab contains the following Access Policies subtabs: Figure 2-2.
Managing TMS zl Firewalls Viewing Firewall Configurations Figure 2-3.
Managing TMS zl Firewalls Viewing Firewall Configurations Figure 2-4.
Managing TMS zl Firewalls Viewing Firewall Configurations Synchronize Properties Dialog, which ensures firewall properties in PCM are the same as those on the firewall device. The Synchronize Properties button is enabled for all Firewall subtabs. This function can also be accessed through the right-click menu by right-clicking a TMS zl Module in the navigation tree and selecting Synchronize Properties. Firewall Access Policies Wizard, is used to add, edit, or remove firewall policies or rules.
Managing TMS zl Firewalls Viewing Firewall Configurations • Port Map Connection Allocations The TMS zl Module allows you to reserve firewall connections for specific addresses or address ranges. This ensures the firewall is always available to route traffic for users and that users are able to access resources. Figure 2-5.
Managing TMS zl Firewalls Viewing Firewall Configurations Reservation Count Number of connections to reserve per IP address Comments Notes created for the reservation Connection Timeouts To maintain secure sessions, the firewall times out (disconnects) inactive sessions after a specified time, which helps mitigate the effects of flooding attacks. The default timeouts (number of seconds to wait before disconnecting) for each type of session can be customized.
Managing TMS zl Firewalls Viewing Firewall Configurations Port Number Port used for the protocol Timout Number of seconds to wait before ending an inactive session Port Maps The TMS zl modules uses port maps to learn which protocol/service to expect on each port. Port maps provide a way to map a standard service to a nonstandard port number. Figure 2-7.
Managing TMS zl Firewalls Viewing Firewall Configurations Viewing Firewall Access Policies Selecting the TMS zl node or a specific TMS zl module and clicking the TMSFirewall tab displays subtabs that contain another level of subtabs. Selecting the Access Policies subtab displays a subtab for each type of TMS zl access policy. Each subtab on the Access Policies subtab lists all defined access policies of that type. (Zones and Users are displayed on the TMS-Network tab.
Managing TMS zl Firewalls Viewing Firewall Configurations enable management access on a zone. Three of these policies, which are from the management access zone to the Self zone, permit you to access the module from a Web browser or terminal session: • Permit HTTPS, Any Address to Any Address • Permit HTTP, Any Address to Any Address • Permit SSH, Any Address to Any Address This subtab provides the following information for each Unicast policy defined for each zone-to-zone combination.
Managing TMS zl Firewalls Viewing Firewall Configurations Multicast Information The Multicast subtab on the Firewall > Access Policies tab for the TMS zl node or a specific TMS zl module displays the following information for all Multicast access policies configured on the selected TMS zl device(s). Figure 2-9. TMS-Firewall Tab, Access Policies > Multicast Subtab Access policies for multicast traffic are aimed at traffic destined to a multicast address between 224.0.0.0 and 239.255.255.255.
Managing TMS zl Firewalls Viewing Firewall Configurations This subtab provides the following information for each Multicast policy defined for each zone-to-zone combination. To view policy information, click the lever to the left of the folder icon (in the Position column). Position Priority of policy Action Whether traffic will be permitted or denied (All traffic is denied by default unless specifically allowed.) Service Application-level service (HTTP, FTP, SNMP, etc.
Managing TMS zl Firewalls Viewing Firewall Configurations Addresses The Addresses subtab on the Firewall > Access Policies tab for the TMS zl node or a specific TMS zl module displays the following information for all Address Object access policies configured on the selected TMS zl device(s): Figure 2-10.
Managing TMS zl Firewalls Viewing Firewall Configurations Services The Services subtab on the Firewall > Access Policies tab for the TMS zl node or a specific TMS zl module displays the following information for all services configured on the selected TMS zl device(s): Figure 2-11. TMS-Firewall Tab, Access Policies > Services Subtab Information shown on the Services subtab is also displayed on the Access Policies, NAT Policies, and Port Triggers tabs, and changes to one affects all these tabs.
Managing TMS zl Firewalls Viewing Firewall Configurations Schedules The Schedules subtab on the TMS-Firewall > Access Policies tab lists all Schedule access policies defined for all TMS zl modules or a selected TMS zl module. To display schedule information, click the folders in the Name column. Figure 2-12.
Managing TMS zl Firewalls Viewing Firewall Configurations NAT Policies The Policies subtab on the Firewall > NAT Policies tab for the TMS zl node or a specific TMS zl module displays the following information for all NAT policies configured on the selected TMS zl device(s): Figure 2-13. TMS-Firewall Tab, NAT Policies > Policies Subtab Position Priority of policy Service Application-level service (HTTP, FTP, SNMP, etc.) where the policy will be applied. Common services are listed in Services.
Managing TMS zl Firewalls Viewing Firewall Configurations NAT Addresses The Address subtab on the Firewall > NAT Policies tab for the TMS zl node or a specific TMS zl module displays the following information for all NAT Address and Address Group policies configured on the selected TMS zl device(s): Figure 2-14.
Managing TMS zl Firewalls Viewing Firewall Configurations NAT Services The Services subtab on the Firewall > NAT Policies tab for the TMS zl node or a specific TMS zl module displays the following information for all NAT Services and Service Group policies configured on the selected TMS zl device(s): Figure 2-15.
Managing TMS zl Firewalls Viewing Firewall Configurations Viewing Port Triggers Some applications dynamically negotiate ports other than well-known ports for data transfer, such as FTP and HTTP. The firewall in the TMS zl Module can handle these dynamic connections through user-configured port triggers. The intelligence to handle these dynamic connections is sometimes called an application-level gateway (ALG). However, ALG’s can be more complex than a simple Port Trigger.
Managing TMS zl Firewalls Viewing Firewall Configurations Figure 2-16.
Managing TMS zl Firewalls Viewing Firewall Configurations Information shown on the Address subtab is also displayed on the Access Policies, NAT Policies, and Port Triggers tabs, and changes to one affects all these tabs. Name Name of the access policy. Double-click the folders in this column to display subordinate folders.
Managing TMS zl Firewalls Viewing Firewall Configurations Information shown on the Services subtab is also displayed on the Access Policies, NAT Policies, and Port Triggers tabs, and changes to one affects all these tabs. Name Name of the device, Service Object, or Service Group (displayed in a hierarchical view that can be expanded by clicking the folder icons) Protocol/Ports Protocol and port configured for the service. Multiple entries are displayed as a comma-separated list.
Managing TMS zl Firewalls Configuring Firewalls Configuring Firewalls Once communication is established between NIM and a TMS zl Module, you can use the following NIM TMS management tools to configure a TMS zl firewall in the order listed: ■ Named Objects (Addresses, Services, Schedules) ■ Firewall Properties ■ Firewall Zone Properties ■ Firewall Access Policies ■ NAT Policies Multiple TMS zl Modules can also be configured simultaneously.
Managing TMS zl Firewalls Configuring Firewalls • Schedule objects, which specify any combination of days of week and time of day. Some manual configuration must be completed at the TMS zl module before NIM can be used to manage configurations, as explained in Configuring TMS zl Modules. NAT policies and VPN policies support only single-entry address objects and service objects.
Managing TMS zl Firewalls Configuring Firewalls . Figure 2-19. Named Object Wizard 2-28 2. Optionally, when the wizard appears, click Click here to refresh now to update PCM with the current device settings. 3. Click Next.
Managing TMS zl Firewalls Configuring Firewalls 4. Select the type of named object and action to be configured: Figure 2-20. Named Object Wizard, Select Action a. b. Select the Named Object Type: Select... To create a named object for... Address IP addresses, domains, and networks or VLANs Service Protocol and single port (e.g., TCP 80) or range of ports (e.g., UDP 50000 to 50010) Schedule Schedule containing any combination of days of week and time of day.
Managing TMS zl Firewalls Configuring Firewalls Select... To... Modify Named Object Modify address objects, which can represent a number of hosts, subnets, or IP address ranges. Address objects can also be added to network groups. c. 5.
Managing TMS zl Firewalls Configuring Firewalls 6. Note: b. In the Available Devices list, highlight each TMS zl module where you want to add or modify the named object. To display devices, doubleclick the folders. c. Click >> to move the selected device to the Selected Devices pane. d. To remove a selected device, highlight the module in the Selected Devices list and click <<. e. Click Next.
Managing TMS zl Firewalls Configuring Firewalls 7. Note: 2-32 b. In the Name field, replace NewAddress with the name that will be used to identify the IP address, network, or domain. c. Use the Type drop-down list to select the address type: IP One or more nonsequential IP addresses Range Range of IP addresses Network IP address and mask Domain Name Network name for the domain d. To include a single address in the object, select Single.
Managing TMS zl Firewalls Configuring Firewalls Figure 2-23. Named Object Wizard, Service Configuration a. In the Configure window, click Add, which creates a named object with the default name NewService. The Add and Del buttons can be used only when Add is selected on the Select Configuration Action window. b. In the Name field, replace NewService with the name that will be used to identify the service. c.
Managing TMS zl Firewalls Configuring Firewalls 8. Note: Configure a schedule to label one or more schedules with a meaningful name, which allows greater ease of device configuration. You must select Schedule as the Named Object Type and the Add or Modify action on the Select Configuration Action window to display these properties. Figure 2-24. Named Object Wizard, Schedule Configuration 2-34 a. In the Configure window, click Add, which creates a named object with the default name NewSchedule.
Managing TMS zl Firewalls Configuring Firewalls 9. e. If you are defining multiple schedules and want to remove one, select it and click Del. The Add and Del buttons can be used only when Add is selected on the Select Configuration Action window. f. Click Next. Optionally, configure an address or service group object. All address objects or service objects that will be grouped must first be defined, and you must select Add Group on the Select Configuration Action window: Figure 2-25.
Managing TMS zl Firewalls Configuring Firewalls f. Click Next. 10. Review the Summary of Changes: Figure 2-26. Named Object Wizard, Summary a. Ensure the information displayed on the Summary of Changes window reflects the devices and objects you want to configure. b. To permanently save these configuration changes on the security device, check the Save Configuration check box.
Managing TMS zl Firewalls Configuring Firewalls Figure 2-27. Named Object Wizard, Apply Settings a. To end the process before it completes, click Halt. The process will be ended as soon as the property currently being configured is complete. Clicking Halt does not halt any device operations that have already begun. It halts the operation only for devices on which the operation is yet to begin. Clicking Cancel after clicking Halt does not cancel any device operations that have already begun.
Managing TMS zl Firewalls Configuring Firewalls a. Right-click the TMS zl node or a TMS zl module in the navigation tree. b. Select Firewall from the drop-down list. c. Select Named Objects Wizard in the Firewall list. You can also open the Named Object Wizard by clicking the Named Object Wizard button on the Addresses, Services, and Schedules tabs of the Firewall Access Policies subtab and the Services and Schedules tabs of the NAT Policies and Port Triggers subtabs. 2.
Managing TMS zl Firewalls Configuring Firewalls 5. 6. c. Click >> to move the selected device to the Selected Devices pane. d. To unselect a selected device, highlight the module in the Selected Devices list and click <<. e. Click Next. Select the named objects to be removed. a. In the Available list, highlight each object that you want to delete. b. To filter this list, type the text to be excluded from the list. c. Click >> to select the device. d. Click Next.
Managing TMS zl Firewalls Configuring Firewalls Note: Some manual configuration must be completed at the TMS zl module before NIM can be used to manage configurations, as explained in Configuring TMS zl Modules. 1. Navigate to the Firewall Access Properties Wizard by clicking the Firewall Properties button on the tab toolbar. OR Right-click the security device in the navigation tree, select Firewall, and then select Firewall Access Properties Wizard from the drop-down list. 2.
Managing TMS zl Firewalls Configuring Firewalls Property Type Description IP Reassembly How fragmented IP packets are reconstructed by a router before forwarding them to their destination Operating Mode How the security device will be used (for Routing, which filters traffic by VLAN, or as a Monitor, which monitors threats but does not prevent or block them) Attack Settings Types of threats monitored, which provides an additional level of security Connection Allocation Zone Limits Maximum number o
Managing TMS zl Firewalls Configuring Firewalls 7. If you selected IP Reassembly on the Select Action window, configure IP reassembly rules. These rules determine how fragmented IP packets are reconstructed by a router before forwarding them to their destination and to enable or disable IP reassembly. In the IP Reassembly Configuration window, configure the following properties. Figure 2-30. Firewall Access Properties Wizard, IP Reassembly a. 2-42 To enable IP reassembly, check Enable IP Reassembly.
Managing TMS zl Firewalls Configuring Firewalls 8. If you selected Operating Mode on the Select Action window, select the operating mode and click Next. Figure 2-31. Firewall Access Properties Wizard, Operating Mode Routing - Security device operates as a NAT device to provide special routing capabilities Monitor -Security device detects security threats but does not prevent or block them.
Managing TMS zl Firewalls Configuring Firewalls 9. If you selected Attack Settings, define the types of possible threats you want to monitor and block, which provides an additional level of security Figure 2-32. Firewall Access Properties Wizard, Attack Settings Click Next when all desired threat types are selected. 2-44 ICMP Replay An ICMP replay attack impersonates an end or intermediate device and repeatedly replays the error message.
Managing TMS zl Firewalls Configuring Firewalls SYN Flooding When a new connection request is received, the server allocates resources for it. A Syn Flood exploits the process of establishing a TCP/ IP session by repeatedly sending SYN packets and not replying to the responder’s SYN/ACK packets. The attacker can forge a large number of requests over a very short period, so your server runs out of resources.
Managing TMS zl Firewalls Configuring Firewalls a. Type the maximum number of connections allowed at any one time for each zone. You may assign any number of connections per zone, but the total number of connections in all zones cannot exceed 500,000. b. Click Next. 11. If you selected RADIUS Configuration, add a RADIUS server as follows: 2-46 a. To identify the TMS zl Modules that will use a RADIUS server for authentication, click the ADD button at the top left of the Server List pane. b.
Managing TMS zl Firewalls Configuring Firewalls 12. If you selected Connection Timeout - Defaults, identify how long a specific type of connection can remain idle before it times out. Figure 2-33. Firewall Access Properties Wizard, Default Connection Timeouts a. In the TCP field, type the number of seconds to wait before timing out an inactive TCP session. b. In the UDP field, type the number of seconds to wait before timing out an inactive UDP session. c.
Managing TMS zl Firewalls Configuring Firewalls 13. If you selected Connection Timeout - Custom, define the custom timeouts used to override a default timeout for a specific service. Figure 2-34. Firewall Access Properties Wizard, Custom Connection Timeouts 2-48 a. In the Select Timeout pane, click Add. b. In the Port field, type the number of the port for which you want to set a timeout value. c. Select the protocol for which you want to set a timeout value from the Protocol drop-down list. d.
Managing TMS zl Firewalls Configuring Firewalls 14. If you selected Connection Allocation - Reservations, configure Connection Reservations for zones. configure the amount of bandwidth reserved for a zone. This function is especially useful for guaranteeing connections during heavy traffic or a Denial of Service attack. Figure 2-35. Firewall Access Properties Wizard, Connection Reservations a.
Managing TMS zl Firewalls Configuring Firewalls f. In the Comments field, optionally type a note or description that helps to identify the reservation. g. Click Next. 15. If you selected Port Maps, associate ports other than the well-known port numbers with selected applications. The TMS zl module uses these port mappings to apply policies and detection methods to the traffic that uses those ports. Figure 2-36. Firewall Access Properties Wizard, Port Maps a.
Managing TMS zl Firewalls Configuring Firewalls a. Ensure the information displayed on the Summary of Changes window reflects the device and properties you want to configure. b. To permanently save these configuration changes on the security device, check the Save Configuration check box. If the device(s) on which this configuration change is applied dons the Master role in a high-availability cluster, these configuration changes will not be automatically synchronized to the participant.
Managing TMS zl Firewalls Configuring Firewalls To associate VLANs with a zone: 1. Navigate to the Zone Wizard. i. Right-click the TMS zl node or a TMS zl module in the navigation tree. ii. Select TMS-Network from the drop-down list. iii. Select Zone Wizard from the Firewall drop-down list. 2. Optionally, when the wizard appears, click Click here to refresh now to update PCM with the current zone settings on the selected device(s). 3. Click Next. 4.
Managing TMS zl Firewalls Configuring Firewalls To configure a management zone: 1. Navigate to the Zone Wizard. i. Right-click the TMS zl node or a TMS zl module in the navigation tree. ii. Select Firewall from the drop-down list. iii. Select Zone Wizard from the Firewall drop-down list. 2. Optionally, when the wizard appears, click Click here to refresh now to update PCM with the current zone settings on the selected device(s). 3. Click Next. 4.
Managing TMS zl Firewalls Configuring Firewalls 12. Click Close to close the wizard. Configuring Access Policies Firewall access policies are rules that govern the traffic that is allowed on a device. Use the Firewall Access Policies Wizard to configure access policies. Some manual configuration must be completed at the TMS zl module before NIM can be used to manage configurations, as explained in Configuring TMS zl Modules.
Managing TMS zl Firewalls Configuring Firewalls 3. Click Next. Figure 2-38. Firewall Access Policies Wizard, Select Action 4. Select the type of policy to be configured and the configuration action: a. Select the Rule Set: Select... To control traffic to... Unicast Unicast policies Unicast Group Unicast policies for specific user groups Multicast IP addresses 224.0.0.0-239.255.255.255 b. Select the Action.
Managing TMS zl Firewalls Configuring Firewalls c. 5. 6. Click Next. Select the firewall devices to be configured. a. If displayed, use the Available Devices drop-down list to select the Agent managing the TMS zl module. b. In the Available Devices list, highlight each TMS zl module where you want to configure. To display devices managed by the selected Agent, double-click the folders. c. Click >> to move the selected device to the Selected Devices pane. d.
Managing TMS zl Firewalls Configuring Firewalls b. Use the Action drop-down list to select whether traffic between the selected zones is permitted or denied. c. Use the From drop-down list to select the source zone of packets that will be governed by the policy. The policy will be applied only to packets containing both the source and destination zones. d. Use the To drop-down list to select the destination zone of traffic that will be governed by the policy.
Managing TMS zl Firewalls Configuring Firewalls k. To use the policy for intrusion protection, check the Enable IPS for this Policy check box. l. To record all actions taken by the policy, check the Enable logging on this Policy check box. m. If you want to add the rule at a specific position, type the rule position number in the Position field. Possible values are between 1 and the total number of rules in the zone. n. 7. Click Next.
Managing TMS zl Firewalls Configuring Firewalls d. To limit traffic by the number of connections within a specific number of seconds between the selected zones during the scheduled time, check the second Maximum Connections check box and type the maximum number of connections allowed and the number of seconds. For example, to limit traffic to 1000 connections every 10 seconds, type 1000 every 10 seconds.
Managing TMS zl Firewalls Configuring Firewalls 6. 7. d. To remove a selected device, highlight the module in the Selected Devices list and click <<. e. Click Next. In the Select Policies window, select the policies to be prioritized. Click a folder to expand it and display all access policies defined on the device. a. If displayed, use the Available Devices drop-down list to select the Agent managing the TMS zl module. b.
Managing TMS zl Firewalls Configuring Firewalls 9. In the New Position field, type the position number (order of priority) you want to assign to the selected policy. 10. Once the policies are in the desired order, click Next and continue the wizard as you did when configuring a policy To Delete an Access Policy: 1. Navigate to the Firewall Access Policies Wizard. a. Right-click the TMS zl node or a TMS zl module in the navigation tree. b. Select Firewall from the drop-down list. c.
Managing TMS zl Firewalls Configuring Firewalls 5. e. To remove a policy from the Selected Devices pane, highlight the policy in the Selected Rules list and click <<. f. Click Next. Ensure the Summary window lists the policies you want to delete, and click Next to delete the displayed rules. Once the wizard completes, click Finish to close the wizard. To Deploy an Access Policy: Firewall policies can be deployed on multiple TMS zl modules in parallel.
Managing TMS zl Firewalls Configuring Firewalls d. Select Exit from the Services File menu to close the Services window. Configuring NAT Policies NAT policies have many uses. For example, you can use a NAT policy to perform NAT on traffic that is transmitted between the public and private networks. You can also use NAT to conceal your private IP addresses from users in a guest VLAN or allow guest endpoints to access services in the internal network.
Managing TMS zl Firewalls Configuring Firewalls To Create a NAT Policy: 1. Navigate to the NAT Policies Wizard. a. Right-click the TMS zl node or a TMS zl module in the navigation tree. b. Select Firewall from the drop-down list. c. Select NAT Policies Wizard from the Firewall drop-down list. You can also open the NAT Policies Wizard by clicking the NAT Policies Wizard button on the Policies tab of the Firewall NAT Policies subtab. 2-64 2.
Managing TMS zl Firewalls Configuring Firewalls 6. Configure the policy. Figure 2-42. NAT Policies Wizard, Configure Policy a. In the Select NAT policy pane of the Configure window, click Add, which creates a NAT policy with the default name NewRule. The Add and Del buttons can be used only when Add is selected on the Select Configuration Action window. b.
Managing TMS zl Firewalls Configuring Firewalls d. Use the To Zone drop-down list to select the destination zone of packets that will be translated. e. Use the Service drop-down list to select the service and port (default port or corresponding named object) to allow translation of specific services. Select Any Service to allow translation of all traffic from the selected source to the selected destination. f.
Managing TMS zl Firewalls Configuring Firewalls If the device(s) on which this configuration change is applied dons the Master role in a high-availability cluster, these configuration changes will not be automatically synchronized to the participant. To synchronize to the participant, you must synchronize the configuration after completing this wizard. To Prioritize NAT Policies: Prioritize NAT policies to identify the order in which NAT policies will be executed.
Managing TMS zl Firewalls Configuring Firewalls 2. Select Port Trigger Wizard from the Firewall drop-down list. Figure 2-43. Port Trigger Wizard 2-68 3. Optionally, when the wizard appears, click Click here to refresh now to update PCM with the current device settings. 4. Click Next.
Managing TMS zl Firewalls Configuring Firewalls 5. On the Select Configuration Action window, check whether you want to Add, Modify, or Delete the port trigger. Figure 2-44. Port Trigger Wizard, Select Action 6. Select the device(s) you want to configure.
Managing TMS zl Firewalls Configuring Firewalls 7. Configure the port trigger. Figure 2-45. Port Trigger Wizard, Configure Policy 2-70 a. To configure a new port trigger, in the Configure window of the Port Trigger Wizard, click Add, which creates a port trigger with the default name NewPortTrigger_. The Add and Del buttons can be used only when Add is selected on the Select Configuration Action window. b. To modify an existing port trigger, select the trigger to be modified from the left pane.
Managing TMS zl Firewalls Configuring Firewalls e. To configure a port trigger based on traffic from a named service object, ensure the Protocol drop-down list is set to Use defined objects and type the name of the service object to be used as a port trigger. f. To configure a port trigger based on the service, use the Protocol dropdown list to select Enter custom Protocol/Ports and select the service to be used as a port trigger. g.
Managing TMS zl Firewalls Configuring Firewalls 9. 2-72 Deploy the configuration changes and view the results. a. To end the process before it completes, click Halt. The process will be ended as soon as the property currently being configured is complete. b. To display a summary listing whether the port trigger for each device was configured on the device, click Summary. c. Ensure the Status column or Summary shows that the configuration change was completed successfully for each device.
3 Configuring a TMS zl Module as an IPS Contents Intrusion Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Protocol Anomalies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Performance . .
Configuring a TMS zl Module as an IPS Intrusion Prevention Intrusion Prevention The TMS zl Module, when operating in routing mode as an Intrusion Protection System (IPS), can stop known viruses (identified by a signature) from spreading through your network. Signatures TMS zl modules use a signature file containing a signature for each known virus to check all traffic routed through or mirrored to the TMS zl Module.
Configuring a TMS zl Module as an IPS Intrusion Prevention Performance Because every packet is checked against every signature in the signature file and each protocol anomaly threat, performance can be impacted. However, you can enhance performance by disabling signatures that you do not need. For example, if MS SQL is not used in your network, you can disable all MS SQL-related signatures. Use the IPS Signatures Wizard to enable or disable specific signatures in the signature file.
Configuring a TMS zl Module as an IPS Viewing Intrusion Prevention Data Viewing Intrusion Prevention Data Viewing TMS zl Device Group Data Selecting the TMS zl device group in the PCM navigation tree displays the TMSIPS tab:. Figure 3-1.
Configuring a TMS zl Module as an IPS Viewing Intrusion Prevention Data Severe Action Action set for severe severity level (empty when module is in IDS mode) Minor Action Action set for minor severity level (empty when module is in IDS mode) Signature Version Signature version on the module Signature Update Schedule Signature update schedule configured on the module Signature Last Update Status Status of last signature update Signature Last Update Time Time of last signature update Limited Insp
Configuring a TMS zl Module as an IPS Viewing Intrusion Prevention Data Signatures: Lists available signatures on the module and their status, provides a filter for the list of signatures. Double-click a signature to display a description of the signature. Refresh information shown in the subtabs by clicking Synchronize TMS Properties.
Configuring a TMS zl Module as an IPS Viewing Intrusion Prevention Data Maximum URL line size Maximum number of lines in the URL for events with http in bytes protocol Maximum number of lines per header Maximum number of lines in the header of events with http protocol MIME Headers: Maximum header size in Maximum number of characters in MIME header of events with bytes MIME protocol Maximum boundaries per message Maximum number of characters in each body section for events with MIME protocol SMTP Heade
Configuring a TMS zl Module as an IPS Viewing Intrusion Prevention Data . Figure 3-3.
Configuring a TMS zl Module as an IPS Viewing Intrusion Prevention Data Status Whether the signature is Disabled or Enabled in the selected module Action Action set to be triggered by the alert Industry ID CVE ID and/or Bugtrack ID defined for the signature If a signature description is already discovered for a signature, it is displayed in a tooltip when you mouse over a signature name in the signature subtab.
Configuring a TMS zl Module as an IPS Configuring IPS Configuring IPS A TMS zl Module must be configured for IPS, and IPS must be enabled before the module can detect threats. To configure a module for IPS operation: 1. Configure the IPS settings. 2. If the IPS will perform an action when it detects a protocol anomaly: 3. 4. a. Configure protocol anomalies. b. Configure IPS actions. If the IPS will detect packets containing signatures of known threats: a. Configure signatures. b.
Configuring a TMS zl Module as an IPS Configuring IPS 1. Navigate to the IPS Settings window. To update a single device: a. Right-click the IPS TMS zl module in the PCM navigation tree or the Devices List. b. Select TMS-IPS. c. Select Settings from the drop-down list. OR a. Select the TMS zl node in the navigation tree. b. Click the Devices List tab. c. Select the module you want to update. d. Click the IPS Configuration menu on the window toolbar and select Settings from the drop-down list.
Configuring a TMS zl Module as an IPS Configuring IPS Setting these values to 0 (zero) results in full inspection. 6. To permanently save the configuration as the secondary configuration on the module, check the Save configuration to selected device(s) check box. Otherwise, your configuration changes are only made in the module’s running configuration. 7. Click OK, which opens the result window and starts the configuration change. 8.
Configuring a TMS zl Module as an IPS Configuring IPS . Figure 3-5. IPS Protocol Anomalies Each application protocol specifies particular policies and behavior. Using protocol anomaly detection, a TMS zl module with IPS enabled examines traffic to verify that traffic for a protocol conforms to the application settings. 1. Navigate to the IPS Protocol Anomalies window. To update a single module: a. Right-click the IPS TMS zl module in the PCM navigation tree or the Devices List. b. Select TMS-IPS. c.
Configuring a TMS zl Module as an IPS Configuring IPS b. Click the Devices List tab. c. Select the module you want to update. d. Click the IPS Configuration menu on the window toolbar and select Protocol Anomalies from the drop-down list. To update multiple modules: a. Select the TMS zl folder in the PCM navigation tree. b. Display the Devices List tab. c. Select the modules you want to update. d.
Configuring a TMS zl Module as an IPS Configuring IPS Configuring IP Actions The IPS Actions window is used to configure the action to take for events based on their severity. For example, when the selected module receives a critical event, it takes the action configured for critical severity. IPS Actions will be configured on the TMS zl module immediately, but will not be implemented until IPS is enabled. IPS Actions configuration is not applicable for a module currently operating in IDS mode. .
Configuring a TMS zl Module as an IPS Configuring IPS b. Select TMS-IPS. c. Select Actions from the drop-down list. OR a. Select the TMS zl node in the navigation tree. b. Click the Devices List tab. c. Select the module you want to update. d. Click the IPS Configuration menu on the window toolbar and select Actions from the drop-down list. To update multiple modules: a. 2. 3-16 Select the TMS zl folder in the PCM navigation tree. b. Display the Devices List tab. c.
Configuring a TMS zl Module as an IPS Configuring IPS Configuring IPS Signatures The TMS zl module uses a signature file to determine which traffic might be an intrusion. This signature file contains the pattern definition for all known attacks and must be updated regularly to keep up with new attacks as they are discovered. Note: To ensure that the IDS gets the latest signature updates, you must purchase a subscription license and register the TMS zl module with the HP subscription service.
Configuring a TMS zl Module as an IPS Configuring IPS OR a. Select the TMS zl node in the navigation tree. b. Click the Devices List tab. c. Select the module you want to update. d. Click the IPS Configuration menu on the window toolbar and select Signatures from the drop-down list. To update multiple modules: 2. a. Select the TMS zl folder in the PCM navigation tree. b. Display the Devices List tab. c. Select the modules you want to update. d.
Configuring a TMS zl Module as an IPS Configuring IPS If the status column is updated for some signatures (signatures are selected and enable/disable is applied), these settings will remain even if any filter is applied/removed/changed. Figure 3-8. IPS Signatures Wizard, Select Signatures 3.
Configuring a TMS zl Module as an IPS Configuring IPS • 4. To enable/disable a family of signatures, select the folder representing the family. To enable/disable multiple disjointed sets or families of signatures, repeat this selection process and click Enable IPS Signatures or Disable IPS Signatures. The status of the selected signatures shown in the Status column changes to Enabled or Disabled. Use the status column to ensure the status column shows the requested status of signatures. 5. Click Next.
Configuring a TMS zl Module as an IPS Configuring IPS . Figure 3-10. IPS Signatures Wizard, Applying Settings 7. Confirm the successful completion status of the wizard, and click OK, which opens the result window and starts the configuration change. 8. Click Halt at any time to cancel the update process, which closes the wizard after the current TMS module is updated. Halt cancels the update process on those TMS modules for which it has not started.
Configuring a TMS zl Module as an IPS Configuring IPS Updating Signatures The IPS Signature Updates window is used to configure proxy server settings and the signature update schedule. It is also used to update signatures (download from Signature server) immediately on the selected TMS modules (assuming IPS is enabled). Figure 3-11. Signature Updates 1. Navigate to the IPS Signature Updates window: To update a single module: a.
Configuring a TMS zl Module as an IPS Configuring IPS d. Click the IPS Configuration menu on the window toolbar and select Signature Updates from the drop-down list. To update multiple modules: Note: a. Select the TMS zl folder in the PCM navigation tree. b. Display the Devices List tab. c. Select the modules you want to update. d. Click the IPS Configuration menu button on the window toolbar and select Signature Updates from the drop-down list.
Configuring a TMS zl Module as an IPS Configuring IPS 7. To permanently save the configuration as the secondary configuration on the module, check the Save configuration to selected device(s) check box. Otherwise, your configuration changes are only made in the module’s running configuration. 8. Click OK. which opens the Results window and starts the configuration change. 9.
4 Configuring a VPN on the HP TMS zl Module Contents VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 Synchronizing TMS Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6 Find Your Configuration Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9 IPsec VPNs . . . . . . . . . . .
Configuring a VPN on the HP TMS zl Module Configure IKE and IPsec Settings Using the Deploy IPsec Remote-Access VPN Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-30 Typical Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-32 Custom Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-48 Configure IKE and IPsec Setting Using the Manage IPsec Wizard . . 4-68 Create an IKE Policy for a Client-to-Site VPN . . .
Configuring a VPN on the HP TMS zl Module L2TP User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure Local L2TP Authentication . . . . . . . . . . . . . . . . . . . . . Configure L2TP Authentication to an External RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create Access Policies for an L2TP over IPsec VPN . . . . . . . . . . . . Verify Routes for the L2TP over IPsec VPN . . . . . . . . . . . . . . . . . . . .
Configuring a VPN on the HP TMS zl Module Install Certificates Using SCEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure SCEP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Retrieve the CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Retrieve the CRL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Retrieve the IPsec Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring a VPN on the HP TMS zl Module VPNs VPNs In addition to providing a firewall and an Intrusion Detection System/Intrusion Prevention System (IDS/IPS), the HP Threat Management Services (TMS) zl Module supports virtual private networks (VPNs). Using the TMS management capabilities of HP Network Immunity Manager (NIM), you can configure a VPN on one or more TMS zl Modules to connect two trusted endpoints over an untrusted network.
Configuring a VPN on the HP TMS zl Module Before You Begin • Microsoft Windows XP, Vista, and 7 (both 32-bit and 64-bit) operating systems’ native VPN clients Before You Begin Before you use NIM to configure VPN properties on your TMS zl Modules, verify that you have properly discovered the modules in PCM+. (See the instructions earlier in this guide.) You should also synchronize the TMS zl Module’s properties to ensure that they are up to date.
Configuring a VPN on the HP TMS zl Module Before You Begin 8200zl TMS zl Synchronize TMS Properties Figure 4-1. PCM+ > TMS-VPN > IPsec Window Figure 4-2.
Configuring a VPN on the HP TMS zl Module Before You Begin 3. 4. If you are synchronizing only one module, move directly to the next step. Otherwise, follow these steps: a. The window has two tabs. Initially, the Devices tab is selected. Select the modules that you want to synchronize and click Move. (You can hold [Ctrl] to select multiple modules at once.) b. Click the Properties tab. Select each property that you want to refresh and click Move. To synchronize all the properties, click Move All.
Configuring a VPN on the HP TMS zl Module IPsec VPNs Find Your Configuration Instructions If you know which type of VPN you want to configure, see Table 4-1 for the page at which the configuration instructions begin. (The table also indicates where you can find general background information on the technologies involved.) This chapter also provides instructions for managing VPN settings. Refer to the table of contents. Table 4-1.
Configuring a VPN on the HP TMS zl Module IPsec VPNs ■ Encapsulation Security Payload (ESP) ■ Internet Key Exchange (IKE) This section describes how these protocols interact to establish the secure tunnel, or security association (SA). IPsec Headers Operating on the Network Level of the Open Systems Interconnection (OSI) model, IPsec secures IP packets by encapsulating them with an IPsec header, which is either an AH or ESP header.
Configuring a VPN on the HP TMS zl Module IPsec VPNs In tunnel mode, an AH header authenticates both the payload (including the original IP header) and the delivery IP header. An ESP header authenticates only the payload (including the original IP header) but can also encrypt the payload. Transport Mode In transport mode, a packet is encapsulated with an IPsec header before the IP header is added, thereby reducing overhead.
Configuring a VPN on the HP TMS zl Module IPsec VPNs To provide data privacy, the tunnel endpoint transforms packets with symmetric encryption algorithms. This type of algorithm uses a key to transform data into a new string. Only an endpoint using the same algorithm and key can extract the original data from the encrypted string.
Configuring a VPN on the HP TMS zl Module IPsec VPNs When sending outbound packets (which have already passed firewall, NAT, and IDS/IPS checks), the TMS zl Module checks whether the packet matches the traffic selector in an active outbound SA. If it does, the module uses the keys in the SA to encrypt and encapsulate the packet. The module also checks whether the packet matches a traffic selector in an IPsec policy.
Configuring a VPN on the HP TMS zl Module IPsec VPNs ■ “Configure an L2TP over IPsec Client-to-Site VPN” on page 4-253 ■ “Configure a GRE over IPsec VPN with IKE” on page 4-340 IKE version 1 IKEv1 follows a set process to negotiate the IPsec SA and passes through two phases. The first phase establishes a preliminary tunnel, or IKE SA. The second phase establishes the IPsec SA. When you understand this process, you will find it much easier to configure VPNs on the TMS zl Module.
Configuring a VPN on the HP TMS zl Module IPsec VPNs ■ SA lifetime in seconds ■ Other parameters such as whether XAUTH is required or NAT-T is supported You will specify these proposals in an IKE policy. Figure 4-6. IKE Phase 1: Security Parameters Exchange The remote endpoint searches its IKE policies for one that specifies the other endpoint and that includes an identical security proposal. When it finds a match, the remote endpoint returns these security parameters to the original endpoint.
Configuring a VPN on the HP TMS zl Module IPsec VPNs the actual keys for you during in the second exchange of IKE phase 1. This protocol is a secure method for generating unique, shared keys without sending them over the connection and thus rendering them vulnerable to interception. Figure 4-7. IKE Phase 1: Key Generation Exchange The final IKE phase 1 exchange and all IKE phase 2 exchanges will be secured by these keys.
Configuring a VPN on the HP TMS zl Module IPsec VPNs Figure 4-8. IKE Phase 1: Authentication The tunnel endpoints also check each other’s IDs. When you set up an IKE policy, you specify the TMS zl Module’s local ID and the remote ID that it expects from the remote VPN gateway or client. The ID can be one of these: ■ An IP address A local ID of this type should be the IP address for the interface that handles incoming VPN traffic.
Configuring a VPN on the HP TMS zl Module IPsec VPNs Note If you use certificates for IKE authentication, you must specify either the DN as the identity type, or you must specify the type and value of a subject alternate name in the certificate. IKE modes. IKE phase 1 can be initiated in one of two modes: ■ Main mode ■ Aggressive mode Main mode consists of the six messages (three exchanges) described above. Figure 4-9.
Configuring a VPN on the HP TMS zl Module IPsec VPNs Figure 4-10. IKE Phase 2: Security Proposal When negotiating the IPsec SA, IKE follows much the same process it did in IKE phase 1.
Configuring a VPN on the HP TMS zl Module IPsec VPNs The traffic selector specifies local and remote IP addresses (the local addresses on one endpoint must match the remote addresses on the other). Optionally, the selector can select a specific IP protocol or a specific TCP or UDP service. ■ Other advanced options The respondent searches its IPsec policies for a match. When it finds a match, it returns the policy to the initiator.
Configuring a VPN on the HP TMS zl Module IPsec VPNs The remote client requests an IP address and default gateway from the IPsec Remote Access Server (IRAS) on the TMS zl Module between IKE phase 1 and phase 2 negotiations. It may also request addresses for DNS and WINS servers that will resolve domain names or the user while on the private network. The users appear as internal users on the network once they have received the IKE mode config parameters.
Configuring a VPN on the HP TMS zl Module IPsec VPNs ■ Fragmentation before IPsec ■ The copying of values from the original IP header The section below describes these features. Table 4-2 indicates which features are enabled by default and other default settings. Table 4-2.
Configuring a VPN on the HP TMS zl Module IPsec VPNs Extended Sequence Number By default, IPsec uses 32 bits for sequence numbers. Because sequence numbers cannot be reused, this limits an SA to 232 (4 million) packets. If your SA has a relatively long lifetime and transmits a great deal of traffic, you might want to enable extended sequence numbers (64 bits) to allow up to 264 (18 quintillion) packets.
Configuring a VPN on the HP TMS zl Module IPsec VPNs The TMS zl Module can copy the DSCP value and DF bit from the original IP header to the delivery header. In this way, it ensures the correct handling for the packet. The module can also set or clear the DF bit for all IPsec packets in an SA. For example, you might want to ensure that IPsec packets are not fragmented.
Configuring a VPN on the HP TMS zl Module IPsec VPNs However, sometimes a device in between the two endpoints of a VPN tunnel performs NAT on packets that have already been encapsulated for the tunnel. As a result of this alteration, packets will fail integrity checks during IKE. In this case, NAT Traversal (NAT-T) is required to notify the tunnel endpoints that the IP addresses will be altered. Figure 4-11 shows an environment that requires NAT-T.
Configuring a VPN on the HP TMS zl Module IPsec VPNs How NAT Traversal Works NAT-T uses UDP encapsulation to address this incompatibility between NAT and L2TP over IPsec. UDP encapsulates the IPsec packet in a UDP/IP header. The NAT device changes the address in this header without tampering with the IPsec packet. Peers agree to use NAT-T during IKE negotiations by exchanging a predetermined, known value that indicates that they support NAT-T.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN between the module and the other side of the VPN tunnel. In that case, and if the router does not allow fragmentation, the router will drop the frame, interfering with communication across the tunnel. To avoid this problem, you should configure the TMS zl Module to force a smaller maximum segment size (MSS) for TCP connections associated with traffic sent over the VPN.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Using named objects is best practice; however, you can specify IP addresses manually. 2. 3. Create the IKE policy, IPsec proposal, and IPsec policy using one of the wizards: • Use the Deploy IPsec Remote-Access VPN wizard to be guided through configuring all of the settings at once. See “Configure IKE and IPsec Settings Using the Deploy IPsec Remote-Access VPN Wizard” on page 4-30.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN You can, of course, configure other objects that are appropriate for your environment. And you might choose not to configure some of the objects. For example, you might not know the actual IP address of every remote VPN client, particularly when remote users connect through the Internet.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-12. Example IPsec Client-to-Site VPN You are now ready to configure the IKE and IPsec settings.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN ■ Custom setup—Custom setup that lets you choose your own settings for the parameters shown in Table 4-4 For example, if you want to use AES encryption and allow only UDP traffic on the VPN tunnel, you should select the Custom setup, rather than the Typical setup. See “Custom Setup” on page 4-48. Table 4-4.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Typical Setup To configure a client-to-site VPN using the Typical setup in the Deploy IPsec Remote-Access VPN wizard, complete the following steps: 1. In the PCM+ navigation tree, expand Network Management Home > Agent Groups > Default Agent Group > Devices > TMS zl. 2. Within the TMS zl folder, select module on which you want to configure the VPN. 3. In the main configuration window, click TMS - VPN. Figure 4-13.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-14. Deploy IPsec Remote-Access VPN Wizard > Deploy Remote-Access VPN 5. Select Typical setup and click Next.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-15. Deploy IPsec Remote-Access VPN Wizard > Deployment Name 6. For Deployment name, type a string that is unique to this policy. For example, you might type ClientVPN. The string can include 1 to 32 alphanumeric characters. 7. 4-34 Click Next.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-16. Deploy IPsec Remote-Access VPN Wizard > Configure Public Interface and Local ID 8. For Local Gateway, specify the TMS zl Module IP address that will act as the VPN gateway. You have two options: • Select IP Address and type an IP address in the box. The IP address must be an IP address that is already configured on the TMS zl Module and that the remote endpoints can reach.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN a. For Local ID Type, select one of the following: – IP Address – Domain Name – Email Address – Distinguished Name b. For Local ID Value, type the correct value. For example, if you select IP Address for Local ID Type, the IP address that you specify must match the IP address that you specified for the local gateway. Table 4-5 shows the format for each ID type. Table 4-5.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-17. Deploy IPsec Remote-Access VPN Wizard > Configure Local Network 11. For Local Network Address, specify the IP addresses for all local servers or endpoints to which remote users are allowed access. Do one of the following to specify addresses: • Manually type an IP address, IP address range, or network address in CIDR format. • Select a subnet.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN • Select Any to permit any IP address. Any is not valid if you plan to configure IKE mode config. Caution Typically, the local addresses are internal addresses on your private network while the public interface address (which you configured in the previous window) is the TMS zl Module’s public or external address.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-18. Deploy IPsec Remote-Access VPN Wizard > Configure Remote Endpoint Information 13. The Remote Network Address setting depends on whether you will use IKE mode config or not. It is generally recommended that you use IKE mode config because this enables you to group VPN clients in a subnet specific to them.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN address and create a separate IPsec policy for each remote client. Other clients (such as the Mac IPSecuritas) can send an entire subnet. Do one of the following to specify addresses: Caution • Manually type an IP address, IP address range, or network address in CIDR format • Select a single-entry IP, range, or network address object. • Select Any to permit any IP address.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN 3. Caution You should also delete the IKEv1 policy and IPsec proposal that were applied before the faulty IPsec policy was applied. Otherwise, if you try to use the same deployment name when you run the wizard again, you will receive an error. In general, take great care when specifying Any. Even if you do not select management traffic, you might inadvertently block necessary traffic.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Each client’s unique ID must match the wildcard in the module’s remote ID. For example, if the remote ID type and value on the module are Domain Name and hp.com, then one client can have user1.hp.com as its ID and another client can have user2.hp.com. Figure 4-19. Deploy IPsec Remote-Access VPN Wizard > Configure Remote Endpoint Information 5. 4-42 Click Next.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-20. Deploy IPsec Remote-Access VPN Wizard > Remote Client Authentication Configuration 6. For Authentication Method, select one of the following: • Preshared Key • DSA Signature • RSA Signature If you want to use SCEP to install certificates, select RSA Signature rather than DSA Signature. If you select DSA Signature or RSA Signature, see “Manage Certificates” on page 4-394 after you finish the wizard.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN 7. If you select Preshared Key, type a string of 12 to 49 alphanumeric or special characters in the Preshared Key box. Type the same string in the Confirm Preshared Key box. The string (which is case-sensitive) must match the string that is configured on the remote endpoints. 8. Configure or disable XAUTH, which is an optional layer of security.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-21. Deploy IPsec Remote-Access VPN Wizard > Configure IRAS details (optional) 10. Configure the IP addresses and other settings assigned to remote endpoints through IKE mode config. Note It is generally recommended that you use IKE mode config. However, if your clients do not support this feature, clear the Enable IP Address Pool for IRAS (Mode Config) check box and move to step 19 on page 4-47. 11.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN When you set up firewall access policies to permit traffic between the remote endpoints and the private network, select this zone as the source zone. 14. For IP Address Ranges, type one or more ranges of IP addresses in the same subnet as the IRAS. Type each range on its own line, using this format: -. For example, type 172.16.100.2-172.16.100.254.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-22. Deploy IPsec Remote-Access VPN Wizard > Configure IRAS details (optional) (Filled In) 19. Click Next.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-23. Deploy IPsec Remote-Access Wizard > Configuration Preview 20. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If the TMS zl Module is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN 1. In the PCM+ navigation tree, expand Network Management Home > Agent Groups > Default Agent Group > Devices > TMS zl. 2. Within the TMS zl folder, select module on which you want to configure the VPN. 3. In the main configuration window, click TMS - VPN. Figure 4-24. PCM+ > TMS-VPN > IPsec Window 4. 5.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-25. Deploy IPsec Remote-Access VPN Wizard > Type of Setup 6. 4-50 Click Next.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-26. Deploy IPsec Remote-Access VPN Wizard > Deployment Name 7. For Deployment name, type a string that is unique to this policy. For example, you might type ClientVPN. The string can include 1 to 32 alphanumeric characters. 8. Click Next.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-27. Deploy IPsec Remote-Access VPN Wizard > Configure Public Interface and Local ID 9. For Local Gateway, specify the TMS zl Module IP address that will act as the VPN gateway. You have two options: • Select IP Address and type an IP address in the box. The IP address must be an IP address that is already configured on the TMS zl Module and that the remote endpoints can reach.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN IP Address Domain Name Email Address Distinguished Name – – – – b. For Local ID Value, type the correct value. For example, if you select IP Address for Local ID Type, the IP address that you specify must match the IP address that you specified for the local gateway. Table 4-7 shows the format for each ID type. Table 4-7. Local ID Values Local ID Type Remote ID Value Examples IP Address A.B.C.D 172.16.40.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN 12. For Local Network Address, specify the IP addresses for all local endpoints to which remote users are allowed access. Do one of the following to specify addresses: • Typically, manually type an IP address, IP address range, or network address in CIDR format. The local addresses should be internal addresses on your private network. • Select a subnet. The wizard automatically includes the subnets configured on TMS VLANs.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-29. Deploy IPsec Remote-Access VPN Wizard > Configure Remote VPN Endpoint Address 14. The Remote Network Address setting depends on whether you will use IKE mode config or not.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Caution The remote addresses in combination with the local addresses must not include management traffic to the TMS zl Module. If you violate this rule, you first must configure a Bypass policy with top priority that selects the management traffic, or NIM will lose contact with the module and you will be locked out of the Web browser interface.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN allow endpoints on the local subnet to send any traffic except to remote VPN clients. You might need to create Bypass policies. See “Bypass and Deny IPsec Policies” on page 4-434. 4. For Remote ID, specify an ID that matches the ID that remote clients send to authenticate themselves: a. For Remote ID Type, select one of the following: – IP Address – Domain Name – Email Address – Distinguished Name b.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-30. Deploy IPsec Remote-Access VPN Wizard > Remote Client Authentication Configuration 6. For Authentication Method, select one of the following: • Preshared Key • DSA Signature • RSA Signature If you want to use SCEP to install certificates, select RSA Signature rather than DSA Signature. If you select DSA Signature or RSA Signature, see “Manage Certificates” on page 4-394 after you finish the wizard. 7.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN You can configure the TMS zl Module to act either as a client (authenticate itself) or as a server (authenticate the remote clients). However, configuring the module as an XAUTH server is typical. Select one of the following: 9. • TMS acts as XAUTH Client – For Authentication Type, select Generic or CHAP. – For Username and Password, you must specify credentials that the remote endpoints accept.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Note It is generally recommended that you use IKE mode config. However, if your clients do not support this feature, clear the Enable IP Address Pool for IRAS (Mode Config) check box and move to step 19 on 4-61. 11. Select the Enable IP Address Pool for IRAS (Mode Config) check box. 12. For IRAS IP Address/Mask, type the IP address that the TMS zl Module will use to route traffic from the remote clients. Include a subnet mask.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-32. Deploy IPsec Remote-Access VPN Wizard > Configure IRAS details (optional) (Filled In) 19. Click Next.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-33. Deploy IPsec Remote-Access VPN Wizard > Configure Services Available for the Remote End Point 20. For Protocol, specify the protocol for traffic allowed over the VPN: • Any—Any IP protocol. Select this option when you want to select all traffic between local and remote endpoints.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-34. Deploy IPsec Remote-Access VPN Wizard > Configure Advanced IKE Settings 24. For Key Exchange Mode, select Main Mode or Aggressive Mode. The mode must match that configured on remote endpoints. See “IKE modes” on page 4-18 for guidelines. 25. Under Security Parameters Proposal, configure the security settings proposed by the TMS zl Module for the IKE SA (the IKE policy on remote endpoints must match): a.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN – – – 3DES AES-192 (24) AES-256 (32) The number in parentheses after AES options indicates the key length for the algorithm in bytes. c. For Authentication Algorithm, select one of these protocols, listed from least secure (and least processor-intensive) to most: – MD5 – SHA-1 d. For SA Lifetime in Seconds, type the number of seconds that the IKE SA is kept open.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Tunnel mode allows remote endpoints to reach services behind the TMS zl Module. In transport mode, the VPN only supports traffic originated by the remote endpoint or by the TMS zl Module itself. 28. For IPsec Security Protocol/Encryption/Authentication Algorithm, select one of the options. The first part of each option is the security protocol, ESP or AH (AH does not provide encryption.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN The TMS zl Module checks an IPsec SA for inactivity when the SA has transmitted and received 80 percent of the allowed bandwidth in kilobytes. If the SA is active, the module renegotiates it, deleting the old SA when the new one is established. The module deletes an inactive SA if it is still inactive when the total lifetime in kilobytes is reached.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN The TMS zl Module assigns each IPsec packet the DSCP value assigned to the original IP packet. • Select Set DSCP value and type a value between 0 and 63 in the box. The TMS zl Module assigns every IPsec packet in this SA the DSCP that you configure. 0 is the default value and requests normal handling for the packet. See “The Copying of Values from the Original IP Header” on page 4-23 for more information. 36. Click Next.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN When you are ready to apply the configuration, click Next in the Configuration Preview window. 38. A window is displayed, showing the setting being applied to the TMS zl Module. When you see that they have been applied successfully, click Close. Move to “Create Access Policies for IPsec Client-to-Site VPNs” on page 4-102.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Policy or Proposal Parameter Module-Specific or Same for Every Selected Module Authentication Algorithm Same Although the Manage IPsec wizard provides a great many options for managing IKE and IPsec settings, the sections below focus on using the wizard to set up the necessary policies and proposals for a client-to-site VPN.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN • If you are configuring a single module, you can click the IKEv1 Policies tab. Right-click the TMS zl Module’s name in the main configuration window and select Add. Move to step 5 on page 4-72. Figure 4-38.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN i. Whichever way you open the wizard, in the first window, select IKEv1 Policy for Managed Objects and Add for Actions. Figure 4-40. Manage IPsec Wizard > Manage IPsec Main Menu ii. Click Next. If you have launched the wizard from a specific TMS zl Module in the navigation tree, move to step 5 on page 4-72. iii. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-41. Manage IPsec Wizard > Select Devices iv. Click Next. 5. A window is displayed in which you configure IKE settings. The window will differ slightly based on whether you are configuring a single TMS zl Module or multiple modules. The window for a multiple module configuration is displayed in Figure 442. (The window for a single module configuration includes the same settings but no Devices list.) 6.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Note Later you must configure firewall access policies to allow the IKE messages from the remote endpoints. Figure 4-42. Manage IPsec Wizard > Add IKEv1 Policy (Multiple Module Configuration) If you are configuring multiple modules, the next settings are module-specific. Therefore, you must click one of the TMS zl Modules in the Devices list and configure the settings for that specific module.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-43. Example IPsec Client-to-Site VPN 8. For Local Gateway, specify the TMS zl Module IP address that will act as the VPN gateway (indicated by 1 in the example figure). You have two options: • Select IP Address and type an IP address in the box. The IP address must be an IP address that is already configured on the TMS zl Module and that the remote endpoints can reach.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN – – – b. Domain Name Email Address Distinguished Name For Value, type the correct value. If you select IP Address for Type, the address that you specify in the Value box must match the IP address that you specified for the local gateway. Table 4-10 shows the format for each ID type. Table 4-10. Local ID Values Local ID Type Remote ID Value Examples IP Address A.B.C.D 172.16.40.103 Domain Name TMS.hp.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Note When you are using wildcards to allow multiple clients to connect using this IKE policy, you must configure a unique ID on each client to allow clients to log in simultaneously. Both clients cannot have the same ID because if one client is logged in and a second client attempts to log in with the same ID, the first client is logged out. Each client’s unique ID must match the wildcard in the module’s remote ID.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN a. For Key Exchange Mode, select Main Mode or Aggressive Mode. The mode must match that configured on remote endpoints. See “IKE modes” on page 4-18 for guidelines. b. For Authentication Method, select one of the following: – Preshared Key – DSA Signature – RSA Signature If you want to use SCEP to install certificates, select RSA Signature rather than DSA Signature.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN c. For Authentication Algorithm, select one of these protocols, listed from least secure (and least processor-intensive) to most: – MD5 – SHA-1 d. For SA Lifetime in Seconds, type the number of seconds that the IKE SA is kept open. Valid values are between 300 seconds and 86400 seconds (1 day). Remember that this setting applies to IKE SA, which is a temporary tunnel used only to establish the IPsec SA. 15. Click Next.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN i. If you have not already done so, configure a group or groups for the remote users. Configure the user group in the TMS-Network > Authentication > Firewall/XAUTH Users window. ii. Configure usernames and passwords for the remote users in one of these locations: – An external RADIUS server—Remember, to add the RADIUS server in the TMS-Network > Authentication > RADIUS Servers Configuration window.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-46. Manage IPsec Wizard > Configuration Preview Window 18. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If any of the TMS zl Modules is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-47. Manage IPsec Wizard > Applying Settings Window 19. A window is displayed, showing the settings being applied to the TMS zl Module or modules. When you see that they have been applied successfully, click Close. The IKE policy is displayed in the TMS-VPN > IPsec > IKEv1 Policies window. (Because this is a client-to-site type policy, the policy has no remote gateway.) Figure 4-48.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Create an IPsec Proposal for a Client-to-Site VPN Each IPsec proposal specifies the following: ■ IPsec mode (tunnel or transport) ■ IPsec security protocol: • AH and a single authentication algorithm • ESP, a single authentication algorithm, and a single encryption algorithm You can configure multiple IPsec proposals. In a later task, you will specify a proposal in an IPsec policy.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN • Alternatively, open the Manage IPsec wizard either by right-clicking the TMS zl Module’s name in the navigation tree and selecting the wizard or by clicking the icon in the toolbar. Manage IPsec Wizard Figure 4-50.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN i. In the first window, select IPsec Proposal for Managed Objects and Add for Actions. Figure 4-51. Manage IPsec Wizard > Manage IPsec Main Menu Window ii. Click Next. If you have launched the wizard from a specific TMS zl Module in the navigation tree, move to step 4 on page 4-86. iii. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-52. Manage IPsec Wizard > Select Devices iv. Click Next. All of the IPsec proposals settings that you configure in the next wizard will be applied to each of the devices that you have selected.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-53. Manage IPsec Wizard > Add IPsec Proposal Window 4. For Proposal Name, type a descriptive string of 1 to 32 alphanumeric characters. The string must be unique to this proposal. Often, it is a good idea to indicate the algorithms that you will select in the name—for example, ESP3desMD5. 5. For Encapsulation Mode, typically select Tunnel Mode.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN • AES-128 (16) • AES-192 (24) • AES-256 (32) The number in parentheses after AES options indicates the key length for the algorithm in bytes. 8. If you selected either ESP or AH for Authentication Algorithm, select one of the following: • None You must not select None if you selected AH for the Security Protocol or if you selected NULL for the ESP Encryption Algorithm. • 9. MD5 • SHA-1 • AES-XCBC Click Next.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN 10. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If the TMS zl Module is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box.Note that this will cause the participant to reboot.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-55. PCM+ > TMS-VPN > IPsec > IPsec Policies Window • You can open the Manage IPsec wizard either by right-clicking the TMS zl Module’s name in the navigation tree and selecting the wizard or by clicking the icon in the toolbar. 11 Manage IPsec Wizard Figure 4-56.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN i. In the first window, select IPsec Policy for Managed Objects and Add for Actions. Figure 4-57. Manage IPsec Wizard > Manage IPsec Main Menu Window ii. 4-90 Click Next.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-58. Manage IPsec Wizard > Add IPsec Policy (step 1) Window 4. For Policy Name, type an alphanumeric string between 1 and 32 characters. The string must be unique to this policy. 5. By default, the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to configure a policy now and then enable it later. 6.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN The position determines the order in which the TMS zl Module processes IPsec policies. The module processes the policy with the lowest value first (for example, position 1 before position 2). The position matters most when policies have overlapping traffic selectors. In this case, assign the highest position (lowest value) to the IPsec policy with the most specific traffic selector.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN – – – – Any—Any IP protocol. Select this option when you want to select all traffic between local and remote endpoints. TCP or UDP—Select this option in conjunction with a local port to allow remote clients to access only specific services in the local network. ICMP—Select this option when you want to select only ICMP traffic.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN a separate IPsec policy for each remote client. Other clients (such as the Mac IPSecuritas) can send an entire subnet. Do one of the following to specify addresses: – Manually type an IP address, IP address range, or network address in CIDR format – Select a single-entry IP, range, or network address object. – Select Any to permit any IP address.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN gateway address, you must create a Bypass IPsec policy to exclude IKE traffic to and from the module from the VPN. Otherwise the VPN cannot be established. Caution Also take great care when specifying Any. You might inadvertently block necessary traffic.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-60. Manage IPsec Wizard > Add IPsec Policy (step 2) Window 6. For IKEv1 Policy, select a previously configured IKEv1 policy. You must select a policy of the client-to-site type. 7. Optionally, select the Enable PFS (Perfect Forward Secrecy) for keys check box, which forces the tunnel endpoints to generate new keys for the IPsec SA.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN This setting determines how long the IPsec SA remains open. When the lifetime of the SA reaches 80 percent of the total lifetime, the TMS zl Module checks whether the SA has experienced any activity. If it has, the module negotiates a new SA and then deletes the old SA. If the SA is inactive, the module waits for the complete lifetime to expire. Then, if the SA is still inactive, the module deletes the SA.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-61. Manage IPsec Wizard > Add IPsec Policy (step 3) Window 11. Configure the IP addresses and other settings assigned to remote endpoints through IKE mode config. Note It is generally recommended that you use IKE mode config. However, if your clients do not support this feature, clear the Enable IP Address Pool for IRAS (Mode Config) check box and move to step 12. a.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN d. For IP Address Ranges, type one or more ranges of IP addresses in the same subnet as the IRAS. Type each range on its own line, using this format: -. For example, type 172.16.100.50172.16.100.74. Each remote client will be assigned an address from this pool while visiting your private network. You can view these addresses in the TMS-VPN > Connections > Active IP Pool Sessions window.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-62. Manage IPsec Wizard > Add IPsec Policy (step 4) Window 13. If desired, configure settings in the Advanced Settings (Optional) section. a. Select the check boxes for the advanced features that you want to enable: – Enable IP compression – Enable extended sequence number – Enable re-key on sequence number overflow – – This setting is enabled by default.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN c. For DF Bit Handling, select one of these options: – Copy DF bit from clear packet – The TMS zl Module copies the don’t fragment (DF) bit setting for the IPsec packet from the inner IP packet. Set DF bit – The module sets the DF bit for all IPsec packets. Clear DF bit The module clears the DF bit for all IPsec packets. (See “The Copying of Values from the Original IP Header” on page 4-23 for more information.) d.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Create Access Policies for IPsec Client-to-Site VPNs You must configure firewall access policies to allow the IKE traffic and the traffic between the remote clients and the private network. This section gives you checklists of access policies that are required for client-to-site VPNs. To learn how to create the access policies, refer to Chapter 6: “Configuring the TMS zl Module Firewall.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Figure 4-63. Example IPsec Client-to-Site VPN (with Zones) Table 4-12 lists the necessary access policies you would make for the VPNs shown in Figure 4-63; the numbers in the Source and Destination columns refer to the example figure above.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Table 4-12.
Configuring a VPN on the HP TMS zl Module Configure an IPsec Client-to-Site VPN Also note that, when you set up IKE mode config, a route to irstXXX is automatically added to the route table. This route is to the network that you configured for IKE mode config in the IPsec policy. In this example, the IRAS IP address and mask were configured as 10.1.100.1/24, so the network in the route is 10.1.100.0/24 and the gateway is 10.1.100.1. Figure 4-64.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE If you selected RSA or DSA signatures for the IKE authentication method, you must install certificates on the TMS zl Module or modules. See “Manage Certificates” on page 4-394. Otherwise, you are finished configuring the VPN (on the module side). However, you can configure global settings if you want. See “Configure Global IPsec Settings” on page 4-429.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Configuring an IPsec Site-to-Site VPN Between TMS zl Modules—Deploy IPsec Site-to-Site VPN Wizard The Deploy IPsec Site-to-Site VPN wizard can be used to create three types of VPNs: ■ Simple site-to-site VPN between two TMS zl Modules ■ Hub and spoke VPN between three TMS zl Modules You can also replace another IPsec-compliant device for one of the modules in either deployment.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Create Named Objects for the VPN (Optional) You might want to configure the named objects indicated in Table 4-13 (for a two-module VPN) or in Table 4-14 (for a three-module VPN). If you do configure the objects, do so on all TMS zl Modules involved in the VPN. (You can, of course, configure other objects that are appropriate for your environment.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-65. Example IPsec Site-to-Site VPN Table 4-14.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Example Figure Reference Named Object Type Named Object Description 5 Single-entry IP address object The IP address for the VPN gateway on the Spoke 2 module Firewall access policies on the Hub and Spoke 2 modules— Source or Destination for policies that permit IKE traffic 6 Single-entry IP, range, or network address objects • Local Network Address on Spoke 2 in the Deploy IPsec Site-to-Site VPN wizard • Firewal
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Run the Deploy IPsec Site-to-Site Wizard You can run the Deploy IPsec Site-to-Site wizard in two ways. In either case, you must be at the TMS zl folder in the navigation tree. Then either: ■ Right-click the TMS zl folder and select TMS-VPN > Deploy IPsec Site-toSite. ■ Click the Deploy IPsec Site-to-Site wizard icon in the toolbar. Deploy IPsec Site-to-Site Wizard Figure 4-67.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Table 4-15.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-68. Deploy IPsec Site-to-Site VPN (Step 1) 7. For Type of deployment, select Site to Site (2 TMS zl modules). 8. For Type of setup, select Typical. 9. Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-69. Deploy IPsec Site-to-Site VPN > Select the gateways for Site1 and Site2 10. Under Site 1, select one of the TMS zl Modules that will form the VPN: a. For Agent, select the PCM+ agent that manages the module. b. The Device list is populated with all of the TMS zl Modules managed by the selected agent. Select your module. 11. If the other VPN gateway, is a TMS zl Module, select the Site 2 check box.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-70. Deploy IPsec Site-to-Site VPN > Select the gateways for Site1 and Site2 (Filled In) 12. Click Next. 13. For Deployment name, type a meaningful string of alphanumeric characters (1 to 15). This name will be applied to the IKE policies, IPsec proposals, and IPsec policies that are created by the wizard.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-71. Deploy IPsec Site-to-Site VPN > Deployment Name (Filled in) 14. Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-72. Deploy IPsec Site-to-Site VPN > Configure Gateway Information Refer to Figure 4-73 for help in configuring the next settings.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-73. Example IPsec Site-to-Site VPN 15. For Local Gateway on Site 1, specify the IP address or TMS VLAN at which the other module reaches the Site 1 module. You have two options: • Select IP Address and type the IP address in the box. The IP address must be an IP address that is configured on the TMS zl Module and that the remote module or modules can reach (indicated by 1 in the example figure).
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-74. Deploy IPsec Site-to-Site VPN > Configure Gateway Information (Filled In) 17. Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-75. Deploy IPsec Site-to-Site VPN > Configure Network and Protocol Information 18. For Protocol (Action: Allow), specify the protocol for traffic allowed on the VPN: • Any—Any IP protocol. Select this option when you want to allow all traffic between local and remote endpoints. • TCP or UDP—Select one of these options when you want to restrict this VPN to carrying certain TCP or UDP services.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE 19. Under Local Network Address on Site 1, specify the IP addresses of all Site 1 endpoints that are allowed to send traffic over the VPN (indicated by 2 in the figure). Do one of the following to specify addresses: • Select Single/Range and then Any to permit any IP address. Take care when specifying Any; you might accidently select traffic for the VPN that should not be sent over the VPN.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE • Click within the Local Network Address field and type a value. You can type an IP address, range of IP addresses (first IP address-last IP address), or subnet (network address/prefix length). 22. If the Local Port setting is available, you can type a specific port for a service to which endpoints at Site 2 are allowed access. Or you can leave the field blank (which allows traffic to any port).
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE 3. You should also delete any objects that were applied to your modules before the faulty IPsec policy was applied. Otherwise, if you try to use the same deployment name when you run the wizard again, you will receive an error.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-76. Deploy IPsec Site-to-Site VPN > Configure Network and Protocol Information (Filled In) 4. 4-124 Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-77. Deploy IPsec Site-to-Site VPN > Configure Identifiers 5. Under Site 1 Identifiers, first configure the ID that the Site 1 TMS zl Module sends to authenticate itself. (For more information about ID types, see “IKE Phase 1” on page 4-14.) a. For Local ID type, select the ID type for the Site 1 module: – IP Address – Domain Name – Email Address – Distinguished Name b.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Table 4-16 shows the format for each ID type. Table 4-16. Local ID Values Local ID Type Remote ID Value Examples IP Address A.B.C.D 172.16.40.103 Domain Name TMS.hp.com Email Address @ tms@hp.com Distinguished Name /CN= 6. /CN=TMS.hp.com Next specify the ID that the Site 2 TMS zl Module (or other device) sends to authenticate itself. a.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-78. Deploy IPsec Site-to-Site VPN > Configuration Preview 10. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If either TMS zl Module is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Move to “Create Access Policies for the TMS zl Modules in the IPsec Site-toSite VPN” on page 4-194. Custom Setup for a Two-Site VPN. Follow these steps: 1. For Type of deployment, select Site to Site (2 TMS zl modules). 2. For Type of setup, select Custom. 3. Click Next. Figure 4-79. Deploy IPsec Site-to-Site VPN > Select the gateways for Site1 and Site2 4.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE 5. If the VPN gateway at the second site is a TMS zl Module, select the Site 2 check box. a. For Agent, select the PCM+ agent that manages the TMS zl Module at the second site. b. For Device, select the module at the second site. Figure 4-80. Deploy IPsec Site-to-Site VPN > Select the gateways for Site1 and Site2 (Filled In) 6. Click Next. 7.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE This name will be applied to the IKE policies, IPsec proposals, and IPsec policies that are created by the wizard. Therefore, the name that you type cannot be used by any of these objects currently configured on any of the modules in this VPN. Figure 4-81. Deploy IPsec Site-to-Site VPM > Deployment Name (Filled in) 8. 4-130 Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-82. Deploy IPsec Site-to-Site VPN > Configure Gateway Information Refer to Figure 4-83 for help in configuring the next settings Figure 4-83.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE 9. For Local Gateway on Site 1, specify the IP address or TMS VLAN at which the other module or modules reach the Site 1 module. You have two options: • Select IP Address and type the IP address in the box. The IP address must be an IP address that is configured on the TMS zl Module and that the remote module or modules can reach (indicated by 1 in the example figure). • Select VLAN and select a VLAN from the list.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-84. Deploy IPsec Site-to-Site VPN > Configure Gateway Information (Filled In) 11. Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-85. Deploy IPsec Site-to-Site VPN > Configure Network and Protocol Information 12. For Protocol (Action: Allow), specify the protocol for traffic allowed on the VPN: • Any—Any IP protocol. Select this option when you want to allow all traffic between local and remote endpoints. • TCP or UDP—Select one of these options when you want to restrict this VPN to carrying certain TCP or UDP services.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE 13. Under Local Network Address on Site 1, specify the IP addresses of all Site 1 endpoints that are allowed to send traffic over the VPN (indicated by 2 in the figure). Do one of the following to specify addresses: • Select Single/Range and then Any to permit any IP address. Take care when specifying Any; you might accidently select traffic for the VPN that should not be sent over the VPN.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE • Click within the Local Network Address field and type a value. You can type an IP address, range of IP addresses (first IP address-last IP address), or subnet (network address/prefix length). 16. If the Local Port setting is available, you can type a specific port for a service to which endpoints at Site 2 are allowed access. Or you can leave the field blank (which allows traffic to any port).
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE 3. You should also delete any objects that were applied to your modules before the faulty IPsec policy was applied. Otherwise, if you try to use the same deployment name when you run the wizard again, you will receive an error.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-86. Deploy IPsec Site-to-Site VPN > Configure Network and Protocol Information (Filled In) 4. 4-138 Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-87. Deploy IPsec Site-to-Site VPN > Configure Identifiers 5. Under Site 1 Identifiers, first configure the ID that the Site 1 TMS zl Module sends to authenticate itself. (For more information about ID types, see “IKE Phase 1” on page 4-14.) a. For Local ID type, select the ID type for the Site 1 module: – IP Address – Domain Name – Email Address – Distinguished Name b.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Table 4-17 shows the format for each ID type. Table 4-17. Local ID Values Local ID Type Remote ID Value Examples IP Address A.B.C.D 172.16.40.103 Domain Name TMS.hp.com Email Address @ tms@hp.com Distinguished Name /CN= 6. /CN=TMS.hp.com Next specify the ID that the Site 2 TMS zl Module sends to authenticate itself. a.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-88. Deploy IPsec Site-to-Site VPN > Configure Identifiers 7. For Authentication Method, select one of the following: • Preshared Key • DSA Signature • RSA Signature If you select DSA Signature or RSA Signature, you can go directly to step 8. (After you finish the wizard, you must install certificates as described in “Manage Certificates” on page 4-394.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-89. Deploy IPsec Site-to-Site VPN > Configure Advanced IKE Settings 10. For Key Exchange Mode, select Main Mode or Aggressive Mode. 11. Under Security Parameters Proposal, configure the security settings proposed by the TMS zl Module for the IKE SA (the IKE policy on remote endpoints must match): a.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE b. For Encryption Algorithm, select one of these protocols, listed from least secure (and least processor-intensive) to most: – DES – AES-128 (16) – 3DES – AES-192 (24) – AES-256 (32) The number in parentheses after AES options indicates the key length for the algorithm in bytes. c.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-90. Deploy IPsec Site-to-Site VPN > Configure Advanced IPsec Settings 13. For Encapsulation Mode, typically select Tunnel Mode. Tunnel mode allows endpoints at each site to reach services behind the TMS zl Modules. In transport mode, the VPN only supports traffic originated by the TMS zl Modules themselves. 14. For IPsec Security Protocol/Encryption/Authentication Algorithm, select one of the options.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE • Group 5 (1536) The group determines the length of the prime number used during the exchange. The larger the number, the more secure the key generated by the exchange. 16. For SA Lifetime in seconds, type a value between 300 (5 minutes) and 86400 (24 hours). Or type 0 if you do not want to specify a lifetime in seconds (in this case, you must specify a lifetime in kilobytes).
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE For information and guidelines on these settings, see “Advanced IPsec Features” on page 4-21. 19. For Anti-Replay Window Size, type a value between 32 and 1024. This setting determines how far out of order a packet can arrive and still be accepted. See “Anti-Replay Window” on page 4-22 for more information. 20.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-91. Deploy IPsec Site-to-Site VPN > Configuration Preview 23. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If either TMS zl Module is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Typical Setup for a Hub and Spoke (Three Module) VPN. Follow these steps to complete the wizard: 1. For Type of deployment, select Hub and spoke (3 TMS zl modules). 2. For Type of setup, select Typical. Figure 4-92. Deploy IPsec Site-to-Site VPN (Step 1) 3. 4-148 Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-93. Deploy IPsec Site-to-Site VPN > Select the Hub and Spokes 4. 5. 6. 7. Under Hub, select the TMS zl Module that is the hub of the site-to-site VPN. That is, both of the other modules connect to it and not to each other. a. For Agent, select the PCM+ agent that manages this module. b. The Hub list is populated with all of the TMS zl Modules managed by the selected agent. Select your module.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE 8. For Deployment name, type a meaningful string of alphanumeric characters (1 to 15). This name will be applied to the IKE policies, IPsec proposals, and IPsec policies that are created by the wizard. Therefore, the name that you type cannot be used by any of these objects currently configured on any of the modules in this VPN. Figure 4-94. Deploy IPsec Site-to-Site VPN > Deployment Name (Filled in) 9.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-95.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Refer to Figure 4-96 for help in configuring the next settings. Figure 4-96. Example Hub and Spoke VPN 10. For Local Gateway on the Hub, specify the IP address or TMS VLAN at which the other modules reach the hub module. You have two options: • Select IP Address and type the IP address in the box.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE 11. For Local Gateway on Spoke 1, follow the same procedure to specify the IP address or TMS VLAN at which the hub reaches the Spoke 1 module (indicated by 3 in the example figure). Note Later you will configure firewall access policies to allow the IKE messages between the TMS zl Modules. Figure 4-97. Deploy IPsec Site-to-Site VPN > Configure Public Interface for Hub and Spoke 1 (Filled In) 12. Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-98. Deploy Site-to-Site VPN > Configure Local Networks for Hub and Spoke 1 13. For Protocol (Action: Allow), specify the protocol for traffic allowed on the VPN: • Any—Any IP protocol. Select this option when you want to allow all traffic between local and remote endpoints. • TCP or UDP—Select one of these options when you want to restrict this VPN to carrying certain TCP or UDP services.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Do one of the following to specify addresses: • Select Single/Range and then Any to permit any IP address. Take care when specifying Any; you might accidentally select traffic for the VPN that should not be sent over the VPN. • Click the arrow for Single/Range and select a single item from the list. The list includes all subnets that are configured on the Hub TMS zl Module.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Caution The wizard combines the local network settings for both sites to produce a traffic selector for the VPN. For example, the Hub module selects incoming traffic between the Hub local network and the Spoke 1 local network for the VPN, and vice versa. Typically, the selected traffic does not include management traffic for the TMS zl Modules themselves.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE gateway address, you must create a Bypass IPsec policy to exclude IKE traffic to and from the module from the VPN. Otherwise the VPN cannot be established. Caution Also take great care when specifying Any for either local network. You might inadvertently block necessary traffic.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-99. Deploy IPsec Site-to-Site VPN > Configure Local Networks for Hub and Spoke 1 (Filled In) 4. 4-158 Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-100. Deploy IPsec Site-to-Site VPN > Configure Public Interface for Hub and Spoke 2 5. If you are configuring only two modules, move to step 9 on page 4-164. Otherwise, refer to step 10 on page 4-152 and step 11 and follow the same process to specify the public interface on the Hub and Spoke 2 modules.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-101. Example Hub and Spoke Deployment Note 4-160 Later you will configure firewall access policies to allow the IKE messages between the TMS zl Modules.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-102. Deploy IPsec Site-to-Site VPN > Configure Public Interface for Hub and Spoke 2 (Filled In) 6. Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-103. Deploy IPsec Site-to-Site VPN > Configure Local Networks for Hub and Spoke 2 7. 4-162 Refer to step 13 on page 4-154 to step 17 and follow the same process to specify the local networks for the Hub and Spoke 2 modules. (The same cautions apply.) In Figure 4-101 on 4-160, 2 indicates the Hub local addresses and 6 indicates Spoke 2’s.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-104. Deploy IPsec Site-to-Site VPN > Configure Local Networks for Hub and Spoke 2 (Filled In) 8. Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-105. Deploy IPsec Site-to-Site VPN > Configure Identifiers 9. Under Hub to Spoke 1, first configure the ID that the hub TMS zl Module sends to authenticate itself to the Spoke 1 module. (For more information about ID types, see “IKE Phase 1” on page 4-14.) a. For Local ID type, select the ID type for the hub module: – IP Address – Domain Name – Email Address – Distinguished Name b.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Table 4-18. Local ID Values Local ID Type Remote ID Value Examples IP Address A.B.C.D 172.16.40.103 Domain Name TMS.hp.com Email Address @ tms@hp.com Distinguished Name /CN= /CN=TMS.hp.com 10. Under Hub to Spoke 1, next specify the ID that the Spoke 1 TMS zl Module sends to authenticate itself to the hub module. a.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-106. Deploy IPsec Site-to-Site VPN > Configure Identifiers (Filled In) 12. Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-107. Deploy IPsec Site-to-Site VPN > Authentication 13. Under Hub to Spoke 1, configure how the hub and spoke 1 modules authenticate each other. a. For Authentication Method, select one of the following: – Preshared Key – DSA Signature – RSA Signature If you select DSA Signature or RSA Signature, you can go directly to step 8.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE 14. If you are configuring a second spoke, under Hub to Spoke 2, follow the same process to configure how the hub and spoke 2 modules authenticate each other. 15. Click Next. Figure 4-108. Deploy IPsec Site-to-Site VPN > Configuration Preview 16. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE 17. A window is displayed, showing the settings being applied to the TMS zl Module. When you see that they have been applied successfully, click Close. Move to “Create Access Policies for the TMS zl Modules in the IPsec Site-toSite VPN” on page 4-194. Custom Setup for a Hub and Spoke (Three Module) VPN. Follow these steps to complete the wizard: 1. For Type of deployment, select Hub and spoke (3 TMS zl modules). 2.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-110. Deploy IPsec Site-to-Site VPN > Select the Hub and Spokes 4. 5. 4-170 Under Hub, select the TMS zl Module that is the hub of the site-to-site VPN. That is, both of the other modules connect to it and not to each other. a. For Agent, select the PCM+ agent that manages this module. b. The Hub list is populated with all of the TMS zl Modules managed by the selected agent. Select your module.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE This name will be applied to the IKE policies, IPsec proposals, and IPsec policies that are created by the wizard. Therefore, the name that you type cannot be used by any of these objects currently configured on any of the modules in this VPN. Figure 4-111. Deploy IPsec Site-to-Site VPN > Deployment Name (Filled in) 9. Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-112. Deploy IPsec Site-to-Site VPN > Configure Public Interface for Hub and Spoke 1 Refer to Figure 4-113 for help in configuring the next settings.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-113. Example IPsec Hub and Spoke VPN 10. For Local Gateway on the Hub, specify the IP address or TMS VLAN at which the other modules reach the hub module. You have two options: • Select IP Address and type the IP address in the box. The IP address must be an IP address that is configured on the TMS zl Module and that the remote modules can reach (indicated by 1 in the example figure).
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE 11. For Local Gateway on Spoke 1, follow the same procedure to specify the IP address or TMS VLAN at which the hub reaches the Spoke 1 module (indicated by 3 in the example figure). Note Later you will configure firewall access policies to allow the IKE messages between the TMS zl Modules. Figure 4-114. Deploy IPsec Site-to-Site VPN > Configure Public Interface for Hub and Spoke 1 (Filled In) 12. Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-115. Deploy IPsec Site-to-Site VPN > Configure Local Networks for Hub and Spoke 1 13. For Protocol (Action: Allow), specify the protocol for traffic allowed on the VPN: • Any—Any IP protocol. Select this option when you want to allow all traffic between local and remote endpoints. • TCP or UDP—Select one of these options when you want to restrict this VPN to carrying certain TCP or UDP services.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Do one of the following to specify addresses: • Select Single/Range and then Any to permit any IP address. Take care when specifying Any; you might accidentally select traffic for the VPN that should not be sent over the VPN. • Click the arrow for Single/Range and select a single item from the list. The list includes all subnets that are configured on the Hub TMS zl Module.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Caution The wizard combines the local network settings for both sites to produce a traffic selector for the VPN. For example, the Hub module selects incoming traffic between the Hub local network and the Spoke 1 local network for the VPN, and vice versa. Typically, the selected traffic does not include management traffic for the TMS zl Modules themselves.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE gateway address, you must create a Bypass IPsec policy to exclude IKE traffic to and from the module from the VPN. Otherwise the VPN cannot be established. Caution Also take great care when specifying Any for either local network. You might inadvertently block necessary traffic.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE 4. Click Next. Figure 4-117. Deploy IPsec Site-to-Site VPN > Configure Public Interface for Hub and Spoke 2 5. If you are configuring only two modules, move to step 9 on page 4-184. Otherwise, refer step 10 and step 11 on 4-174 and follow the same process to specify the public interface on the Hub and Spoke 2 modules.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-118. Example Hub and Spoke Deployment Note 4-180 Later you will configure firewall access policies to allow the IKE messages between the TMS zl Modules.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-119. Deploy IPsec Site-to-Site VPN > Configure Public Interface for Hub and Spoke 2 (Filled In) 6. Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-120. Configure Local Networks for Hub and Spoke 2 7. 4-182 Refer to step 13 on page 4-175 to step 17 and follow the same process to specify the local networks for the Hub and Spoke 2 modules. (The same cautions apply.) In Figure 4-118 on 4-180, 2 indicates the Hub local addresses and 6 indicates Spoke 2’s.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-121. Deploy IPsec Site-to-Site VPN > Configure Local Networks for Hub and Spoke 2 (Filled In) 8. Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-122. Deploy IPsec Site-to-Site VPN > Configure Identifiers 9. Under Hub to Spoke 1, first configure the ID that the hub TMS zl Module sends to authenticate itself to the Spoke 1 module. (For more information about ID types, see “IKE Phase 1” on page 4-14.) a. For Local ID type, select the ID type for the hub module: – IP Address – Domain Name – Email Address – Distinguished Name b.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Table 4-19. Local ID Values Local ID Type Remote ID Value Examples IP Address A.B.C.D 172.16.40.103 Domain Name TMS.hp.com Email Address @ tms@hp.com Distinguished Name /CN= /CN=TMS.hp.com 10. Under Hub to Spoke 1, next specify the ID that the Spoke 1 TMS zl Module sends to authenticate itself to the hub module. a.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-123. Deploy IPsec Site-to-Site VPN > Configure Identifiers (Filled In) 12. Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-124. Deploy IPsec Site-to-Site VPN > Authentication 13. Under Hub to Spoke 1, configure how the hub and spoke 1 modules authenticate each other. a. For Authentication Method, select one of the following: – Preshared Key – DSA Signature – RSA Signature If you select DSA Signature or RSA Signature, you can go directly to step 8.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE 14. If you are configuring a second spoke, under Hub to Spoke 2, follow the same process to configure how the hub and spoke 2 modules authenticate each other. 15. Click Next. Figure 4-125. Deploy IPsec Site-to-Site VPN > Configure Advanced IKE Settings 16. For Key Exchange Mode, select Main Mode or Aggressive Mode. 17.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE The group determines the length of the prime number used during the exchange. The larger the number, the more secure the key generated by the exchange. b.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-126. Deploy IPsec Site-to-Site VPN > Configure Advanced IPsec Settings 19. For Encapsulation Mode, typically select Tunnel Mode. Tunnel mode allows endpoints at each site to reach services behind the TMS zl Modules. In transport mode, the VPN only supports traffic origi.nated by the TMS zl Modules themselves. 20. For IPsec Security Protocol/Encryption/Authentication Algorithm, select one of the options.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE • Group 1 (768) • Group 2 (1024) • Group 5 (1536) The group determines the length of the prime number used during the exchange. The larger the number, the more secure the key generated by the exchange. 22. For SA Lifetime in seconds, type a value between 300 (5 minutes) and 86400 (24 hours). Or type 0 if you do not want to specify a lifetime in seconds (in this case, you must specify a lifetime in kilobytes).
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE This setting is enabled by default. For information and guidelines on these settings, see “Advanced IPsec Features” on page 4-21. 25. For Anti-Replay Window Size, type a value between 32 and 1024. This setting determines how far out of order a packet can arrive and still be accepted. See “Anti-Replay Window” on page 4-22 for more information. 26.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-127. Deploy IPsec Site-to-Site VPN > Configuration Preview 29. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If any of the TMS zl Modules is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Create Access Policies for the TMS zl Modules in the IPsec Site-to-Site VPN Before you begin configuring firewall access policies, you need to examine the zones on each of your TMS zl Modules. For each module, determine the following: ■ Zone or zones on which the other module or modules reach this module— This will be called the remote zone ■ Zone or zones for local endpoints allowed on the VPN.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Note The value for TCP MSS in the table is only a suggestion. You should determine the best setting for your environment. Table 4-20.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE When Required From Zone To Zone Service Source Destination TCP MSS Number of policies Always Remote SELF IKE (isakmp) 3 1 — 1 Always SELF Remote IKE (isakmp) 1 3 — 1 Always Remote Local Any you choose 4 2 1356 As many as you choose Always Local Remote Any you choose 2 4 1356 As many as you choose When NAT-T is used Remote SELF NAT-T (ipsecnat-t-udp) 3 1 — 1 When NAT-T is use
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE If you selected RSA or DSA signatures for the authentication method when you ran the wizard, you must install certificates on each TMS zl Module. See “Manage Certificates” on page 4-394. Otherwise, you are finished configuring the VPN. However, you can configure global settings if you want. See “Configure Global IPsec Settings” on page 4429.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Policy or Proposal Parameter Module-Specific or Same for Every Selected Module IPsec Proposal Proposal Name Same Encapsulation Mode Same Security Protocol Same Encryption Algorithm Same Authentication Algorithm Same Whether you are configuring one module or multiple modules, complete the following tasks: 1.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE See “Configure Global IPsec Settings” on page 4-429. 9. Configure the remote VPN gateway with compatible settings. Refer to the documentation for the remote gateway. (The HP Threat Management Services zl Module Management and Configuration Guide also gives some guidelines and example configurations.) Create Named Objects for the VPN (Optional) You might want to configure the named objects indicated in Table 4-22.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-129. Example IPsec Site-to-Site VPN Create an IKE Policy for a Site-to-Site IPsec VPN Follow these steps to create an IKE policy that the TMS zl Module can use to negotiate a site-to-site VPN: 1. In the PCM+ navigation tree, expand Network Management Home > Agent Groups > Default Agent Group > Devices > TMS zl. 2.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-130. PCM+ > TMS-VPN > IPsec Window 4. You can add an IKE policy in several ways: • If you are configuring a single module, you can click the IKEv1 Policies tab. Right-click the TMS zl Module’s name in the main configuration window and select Add. Move to step 5 on page 4-203. Figure 4-131.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Manage IPsec Wizard Figure 4-132. PCM+ > TMS-VPN Window (Manage IPsec Wizard) i. Whichever way you open the wizard, in the first window, select IKEv1 Policy for Managed Objects and Add for Actions. Figure 4-133.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE ii. Click Next. If you have launched the wizard from a specific TMS zl Module in the navigation tree, move to step 5 on page 4-203. iii. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed. Select the modules that you want to configure (you can press and hold [Ctrl] to select multiple modules) and click the arrow button to move them to the Selected Devices list. Figure 4-134.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE 6. For IKE Policy Name, type a string that is unique to this policy on all TMS zl Modules selected for configuration. For example, you might type RemoteAccess. The string can include 1 to 15 alphanumeric characters. 7. For IKE Policy Type, select Site-to-Site. The TMS zl Module will respond to IKE messages from the gateway at the remote site.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-136. Example IPsec Site-to-Site VPN 8. For Local Gateway, specify an IP address on this module. You have two options: • Select IP Address and type the IP address in the box. The IP address must be an IP address configured on the TMS zl Module. Type an address that the remote gateway can reach on your network (indicated by 1 in the example figure).
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Note Later you will configure firewall access policies to allow the IKE messages from the remote gateway. 10. For Local ID, configure the ID that the TMS zl Module sends to authenticate itself. This ID must match exactly, in both type and value, the remote ID specified on the remote endpoint. For more information about ID types, see “IKE Phase 1” on page 4-14. a.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-137. Manage IPsec Wizard > Add IKEv1 Policy (step 2) Window 13. Under IKE Authentication, configure these settings: a. For Key Exchange Mode, select Main Mode or Aggressive Mode. The mode must match that configured on the remote endpoint. See “IKE modes” on page 4-18 for guidelines. b.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE The string (which is case-sensitive) must match that configured on the remote gateway. 14. Under Security Parameters Proposal, configure the security settings proposed by the TMS zl Module for the IKE SA: a. For Diffie-Hellman (DH) Group, select the group for the Diffie-Hellman exchange: – Group 1 (768) – Group 2 (1024) – Group 5 (1536) The group determines the length of the prime number used during the exchange.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-138. Manage IPsec Wizard > Add IKEv1 Policy (step 3) Window 16. If you want, configure XAUTH, which is an optional additional layer of security. Otherwise, leave Disable XAUTH selected and move to step 17. You can configure the TMS zl Module to act either as a client (authenticate itself) or as a server (authenticate the remote gateway): • Select Enable XAUTH Server.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-139. Manage IPsec Wizard > Add IKE Policy (step 3) Window For Authentication Type, select Generic or CHAP. CHAP offers greater security. ii. For Username, type a username accepted by the remote gateway’s authentication server. iii. For Password, type the password associated with that username. i. 17. Click Next. 18. Review the configuration settings you have selected.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE The IKE policy is displayed in the TMS-VPN > IPsec > IKEv1 Policies window. Move to the next task.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-140. PCM+ > TMS-VPN > IPsec > IPsec Proposals Window • Alternatively, open the Manage IPsec Manage IPsec Wizard Figure 4-141.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE i. In the first window, select IPsec Proposal for Managed Objects and Add for Actions. Figure 4-142. Manage IPsec Wizard > Manage IPsec Main Menu Window ii. Click Next. If you have launched the wizard from a specific TMS zl Module in the navigation tree, move to step 4 on page 4-86. iii. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-143. Manage IPsec Wizard > Select Devices iv. Click Next. All of the IPsec proposals settings that you configure in the next wizard will be applied to each of the devices that you have selected.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-144. Manage IPsec Wizard > Add IPsec Proposal Window 4. In the Add IPsec Proposal window, type a descriptive string of 1 to 32 alphanumeric characters for Proposal Name. The string must be unique to this proposal. Often, it is a good idea to indicate the algorithms that you will select in the name—for example, ESP3desMD5. 5.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE 6. For Security Protocol, select AH or ESP. 7. If you selected ESP in the previous step, select one of the following for Encryption Algorithm: • NULL If you select this option, VPN traffic will not be encrypted. • DES • 3DES • AES-128 (16) • AES-192 (24) • AES-256 (32) The number in parentheses after AES options indicates the key length for the algorithm in bytes. 8.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Move to the next task: configuring an IPsec policy. Create an IPsec Policy for an IPsec Site-to-Site VPN That Uses IKE This section explains how to configure an IPsec policy for an IPsec SA that is established between two gateway devices using IKE. The IPsec policy includes the settings that are negotiated during IKE phase 2 and also selects traffic for the VPN connection.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Manage IPsec Wizard Figure 4-146. PCM+ > TMS-VPN > IPsec Window (Manage IPsec Wizard) i. In the first window, select IPsec Policy for Managed Objects and Add for Actions. Figure 4-147.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE ii. Click Next. Figure 4-148. Manage IPsec Wizard > Add IPsec Policy (step 1) Window 4. For Policy Name, type an alphanumeric string between 1 and 32 characters. The string must be unique to this policy. 5. By default the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to enable the policy later. 6.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE The position determines the order in which the TMS zl Module processes IPsec policies. The module processes the policy with the lowest value first (for example, position 1 before position 2). The position matters most when policies have overlapping traffic selectors. In this case, assign the highest position (lowest value) to the IPsec policy with the most specific traffic selector.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE – IP Protocols—Select one of these Layer 3 protocols, which are listed by their IANA IP Protocol numbers. Service objects and service groups will not appear in this list. b. For Local Address, specify the IP addresses of all local endpoints that are allowed to send traffic over the VPN (indicated by 2 in the figure). Do one of the following to specify addresses: – Select Any to permit any IP address.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE 1. Access the module and delete the IPsec policy: • If the module has multiple IP addresses in its management-access zone, you might be able to contact the module’s Web browser interface at one of the other addresses. You can then delete the faulty IPsec policy from the VPN > IPsec > IPsec Policies window (the policy will be labeled with the deployment name that you specified in the wizard).
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE The IPsec proposal specifies the IPsec mode, IPsec protocol, and the authentication and encryption algorithms that secure the VPN connection. See “Create an IPsec Proposal for an IPsec Site-to-Site VPN” on page 4-211. 4. Click Next. Figure 4-150. Manage IPsec Wizard > Add IPsec Policy (step 2) Window 5. For Key Exchange Method, select Auto (with IKEv1). 6.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE The group determines the length of the prime number used during the exchange. The larger the number, the more secure the key generated by the exchange. 8. For SA Lifetime in seconds, type a value between 300 (5 minutes) and 86400 (24 hours). Or type 0 if you do not want to specify a lifetime in seconds (in this case, you must specify a lifetime in kilobytes). This setting determines how long the IPsec SA remains open.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-151. Manage IPsec Wizard > Add IPsec Policy (step 3) Window 11. The Add IPsec Policy (step 3) window allows you to configure settings for IKE mode config, which is not valid for a site-to-site VPN. Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Figure 4-152. Manage IPsec Wizard > Add IPsec Policy (step 4) Window 12. If desired, configure settings in the Advanced Settings (Optional) section. a. Select the check boxes for the advanced features that you want to enable: – Enable IP compression – Enable extended sequence number – Enable re-key on sequence number overflow – – This setting is enabled by default.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE c. For DF Bit Handling, select one of these options: – Copy DF bit from clear packet – The TMS zl Module copies the don’t fragment (DF) bit setting for the IPsec packet from the inner IP packet. Set DF bit – The module sets the DF bit for all IPsec packets. Clear DF bit The module clears the DF bit for all IPsec packets. See “The Copying of Values from the Original IP Header” on page 4-23 for more information. d.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Create Access Policies for an IPsec Site-to-Site VPN that Uses IKE You must configure appropriate access policies on each TMS zl Module on which you configured a site-to-site VPN. Before you begin configuring firewall access policies on a module, determine the zones on which traffic from the remote gateway arrives. Typically, this is the External zone, but it could be another zone.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with IKE Note The value for TCP MSS in the table is only a suggestion. You should determine the best setting for your environment. Table 4-24.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying routes. However, to better illustrate the necessary routes, the figure shows two specific routes. Note that, no matter how you set up the routes, the local VPN gateway configured in the IKE policy must be 192.168.115.71, which is the module IP address on the forwarding VLAN for these routes.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying ■ ■ Advantages • Manual keying does not depend on the IKE protocol, so less processing is used initially to negotiate the SA. • You do not need to open UDP 500 (ISAKMP) in the firewall. • Manual keying is required for an IPsec VPN that is limited to ICMP echo or timestamp traffic. Disadvantages • Keys can be leaked, and overall the tunnel is less secure. • Lengthy keys can be mistyped.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying See “Create an IPsec Proposal” on page 4-233. 3. Create an IPsec policy. See “Create an IPsec Policy That Uses Manual Keying” on page 4-238. 4. Create necessary firewall access policies. See “Create Access Policies for an IPsec Site-to-Site VPN with Manual Keying” on page 4-249. 5. Create a static route, if necessary. See “Verify Routes for an IPsec Site-to-Site VPN” on page 4-251. 6.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying Table 4-26.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying You can configure multiple IPsec proposals. In a later task, you will specify a proposal in an IPsec policy. The algorithm or algorithms in that proposal will secure traffic that is part of IPsec tunnels (VPN connections) that are established with that policy. Follow these steps to configure an IPsec proposal: 1. 2. 3.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying Manage IPsec Wizard Figure 4-157. PCM+ > TMS-VPN > IPsec Window (Manage IPsec Wizard) i. In the first window, select IPsec Proposal for Managed Objects and Add for Actions. Figure 4-158. Manage IPsec Wizard > Manage IPsec Main Menu Window ii. Click Next. If you have launched the wizard from a specific TMS zl Module in the navigation tree, move to step 4 on page 4-237.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying iii. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed. Select the modules that you want to configure (you can press and hold [Ctrl] to select multiple modules) and click the arrow button to move them to the Selected Devices list. Figure 4-159. Manage IPsec Wizard > Select Devices iv. Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying Figure 4-160. Manage IPsec Wizard > Add IPsec Proposal Window 4. In the Add IPsec Proposal window, type a descriptive string of 1 to 32 alphanumeric characters for Proposal Name. The string must be unique to this proposal. Often, it is a good idea to indicate the algorithms that you will select in the name—for example, ESP3desMD5. 5. For Encapsulation Mode, typically select Tunnel Mode.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying • DES • 3DES • AES-128 (16) • AES-192 (24) • AES-256 (32) The number in parentheses after AES options indicates the key length for the algorithm in bytes. 8. If you selected either ESP or AH, for Authentication Algorithm, select one of the following: • None You must not select None if you selected AH for the Security Protocol or if you selected NULL for the ESP Encryption Algorithm. 9.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying 2. In the main configuration window, move to the TMS - VPN > IPsec tab. 3. You can add the IPsec policy in several ways: • Click the IPsec Policies tab. Right-click the TMS zl Module’s name and select Add. Move to step 4 on page 4-241. Figure 4-161.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying i. In the first window, select IPsec Policy for Managed Objects and Add for Actions. Figure 4-163. Manage IPsec Wizard > Manage IPsec Main Menu Window ii. 4-240 Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying Figure 4-164. Manage IPsec Wizard > Add IPsec Policy (step 1) Window 4. For Policy Name, type an alphanumeric string between 1 and 32 characters. The string must be unique to this policy. 5. By default, the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to enable the policy later. 6.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying Next, you configure the VPN traffic selector, which determines which traffic is selected by the policy. For example, the selector might specify all IP traffic between 192.168.2.0/24 (a local network) and 192.168.3.0/24 (a remote network). For a policy with the Apply action, the selected traffic is the traffic that is sent and received (and secured) on the IPsec SA.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying – – Select the single-entry IP, range, or network address object that you configured for local endpoints. (An address object is not valid for a transport-mode VPN.) Manually type an IP address (for an L2TP over IPsec VPN, type the IP address of the local VPN gateway), IP address range, or network address in CIDR format (192.168.1.1/24). c. Local Port is present if you selected TCP or UDP for Protocol.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying hostswitch(config)# services name tms-module hostswitch(tms-module-)# config hostswitch(tms-module-:config) no ipsec policy Replace with the ID of the slot in which the TMS zl Module is installed. Replace with the name that you specified in the wizard. (You can also use the show ipsec policy command to view the name.) 2.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying Figure 4-166. Manage IPsec Wizard > Add IPsec Policy (step 2) Window Refer to Figure 4-167 for help in configuring the next settings. Figure 4-167. Example IPsec Site-to-Site VPN 6. For Local Gateway, specify an IP address on the TMS zl Module that will act as the local VPN gateway (indicated by 1 in the figure).
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying • Select IP Address and type an IP address on the module in the box. The IP address must be an IP address already configured on the TMS zl Module. Type the address that the remote gateway can reach. For example, if the remote gateway connects to the module through the Internet, select the IP address associated with the module’s Internet VLAN. • Select Use VLAN IP Address and select a VLAN from the list.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying Figure 4-168. Manage IPsec Wizard > Add IPsec Policy (step 3) Window 10. The Add IPsec Policy (step 3) window displays settings for IKE Mode Config, which is not valid for a site-to-site VPN. Click Next.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying Figure 4-169. Manage IPsec Wizard > Add IPsec Policy (step 4) Window 11. If desired, configure settings in the Advanced Settings (Optional) section. a. Select the check boxes for the advanced features that you want to enable: – Enable IP compression – Enable fragment before IPsec This setting is enabled by default. For information and guidelines on these settings, see “Advanced IPsec Features” on page 4-21.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying – The module sets the DF bit for all IPsec packets. Clear DF bit The module clears the DF bit for all IPsec packets. See “The Copying of Values from the Original IP Header” on page 4-23 for more information. d. Under DSCP Options, choose how the TMS zl Module assigns DSCP values to IPsec packets. Either: – Select Copy DSCP value from clear packet.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying Before you begin configuring firewall access policies on a module, determine the zone on which traffic from the remote tunnel gateway arrives. Typically, this is the External zone, but it could be another zone. You should also determine the zone for local endpoints allowed on the VPN. This might be the Internal zone or another zone.
Configuring a VPN on the HP TMS zl Module Configuring an IPsec Site-to-Site VPN with Manual Keying Table 4-27.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-171 shows an example site-to-site VPN. The remote gateway IP address is 192.168.1.22. The remote endpoints behind the gateway are in subnet 10.1.55.0/24. In this example, a default route through 192.168.115.1, the local router in the path to these subnets, could fulfill the requirements for both routes. However, to better illustrate the necessary routes, the figure shows two specific routes.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Configure an L2TP over IPsec Client-to-Site VPN To create policies that are valid for an L2TP over IPsec VPN, you must select some settings that the Deploy IPsec Remote-Access VPN wizard does not allow. Therefore, you will use the Manage IPsec wizard to create IKEv1 policies, IPsec proposals, and IPsec policies for this type of VPN.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Only one IKE policy on each TMS zl Module can specify the client-to-site type, main mode, and preshared keys. Therefore, if you are using preshared key authentication, you must configure a single policy that is valid for all of your remote L2TP users. See “Create an IKE Policy for an L2TP over IPsec VPN” on page 4-256. 3. Create an IPsec proposal. See “Create an IPsec Proposal for an L2TP over IPsec VPN” on page 4-269. 4.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs See Chapter 6: “Configuring the TMS zl Module Firewall” for step-by-step instructions for configuring objects. Table 4-29.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs You can, of course, configure other objects that are appropriate for your environment. And you might choose not to configure some of the objects. For example, you might not know the actual IP address of every remote VPN client, particularly when remote users connect through the Internet. Or the IP addresses might not be contiguous, preventing you from placing them in a single-entry object (which are required for address objects used in VPNs).
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-173. PCM+ > TMS-VPN > IPsec Window 4. You can add an IKE policy in several ways: • If you are configuring a single module, you can click the IKEv1 Policies tab. Right-click the TMS zl Module’s name in the right pane and select Add. Move to step 5 on page 4-260.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-174. PCM+ > TMS-VPN > IKEv1 Policies Window • You can also open the Manage IPsec wizard in one of these two ways (required when configuring multiple modules: – Right-click the folder or device and select TMS - VPN > Manage IPsec. – Click the Manage IPsec Wizard icon in the toolbar. Manage IPsec Wizard Figure 4-175. PCM+ > TMS-VPN Window (Manage IPsec Wizard) i.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-176. Manage IPsec Wizard > Manage IPsec Main Menu ii. Click Next. If you have launched the wizard from a specific TMS zl Module in the navigation tree, move to step 5 on page 4-260. iii. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-177. Manage IPsec Wizard > Select Devices iv. Click Next. 5. A window is displayed in which you configure IKE settings. The window will differ slightly based on whether you are configuring a single TMS zl Module or multiple modules. The window for a multiple module configuration is displayed in Figure 442. (The window for a single module configuration does not include the Devices list.) 6.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Note Later you must configure firewall access policies to allow the IKE messages from the remote endpoints. Figure 4-178. Manage IPsec Wizard > Add IKEv1 Policy (Multiple Module Configuration) If you are configuring multiple modules, the next settings are module-specific. Therefore, you must click one of the TMS zl Modules in the Devices list and configure the settings for that specific module.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-179. Example L2TP over IPsec VPN 8. For Local Gateway, specify the TMS zl Module IP address that will act as the VPN gateway (indicated by 1 in the figure). You have two options: • Select IP Address and type an IP address in the box. The IP address must be an IP address that is already configured on the TMS zl Module and that the remote endpoints can reach.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs – Distinguished Name You can select any type. b. For Value, type the correct value. If you select IP Address for Type, the address that you specify in the Value box must match the IP address that you specified for the local gateway. Table 4-30 shows the format for each ID type. Table 4-30. Local ID Values Local ID Type Remote ID Value Examples IP Address A.B.C.D 172.16.40.103 Domain Name TMS.hp.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-180. Manage IPsec Wizard > Add IKEv1 Policy (step 1) Window (Filled In) 11. Click Next.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-181. Manage IPsec Wizard > Add IKEv1 Policy (step 2) Window 12. Under IKE Authentication, configure the authentication method for the IKE proposal: a. For Key Exchange Mode, select Main Mode. Main mode is required for the Windows L2TP clients. b. For Authentication Method, select Preshared Key. c. Type a string of 12 to 49 alphanumeric or special characters in the Preshared Key box.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Table 4-32. IKE Security Settings Proposed by Windows XP Clients Proposal Encryption Algorithm Authentication Algorithm Diffie-Hellman Group SA Lifetime in Seconds 1 3DES SHA-1 2 28800 2 3DES MD5 2 28800 3 DES SHA-1 1 28800 4 DES MD5 1 28800 Note You could configure other settings.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-182. Manage IPsec Wizard > Add IKEv1 Policy (step 2) Window (Filled In) 14. Click Next. 15. Under XAUTH Configuration (Optional), leave the default, Disable XAUTH.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-183. Manage IPsec Wizard > Add IKEv1 Policy (step 3) Window 16. Click Next.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-184. Manage IPsec Wizard > Configuration Preview Window 17. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If any of the TMS zl Modules is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box.Note that this will cause the participant to reboot.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs • ESP, a single authentication algorithm, and a single encryption algorithm You can configure multiple IPsec proposals. In a later task, you will specify a proposal in an IPsec policy. The algorithm or algorithms in that proposal will secure traffic that is part of IPsec tunnels (VPN connections) that are established with that policy. Follow these steps to configure an IPsec proposal: 1.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Manage IPsec Wizard Figure 4-186. PCM+ > TMS-VPN > IPsec Window (Manage IPsec Wizard) i. In the first window, select IPsec Proposal for Managed Objects and Add for Actions. Figure 4-187.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs ii. Click Next. If you have launched the wizard from a specific TMS zl Module in the navigation tree, move to step 4 on page 4-273. iii. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed. Select the modules that you want to configure (you can press and hold [Ctrl] to select multiple modules) and click the arrow button to move them to the Selected Devices list. Figure 4-188.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-189. Manage IPsec Wizard > Add IPsec Proposal Window 4. For Proposal Name, type a descriptive string of 1 to 32 alphanumeric characters. The string must be unique to this proposal. Often, it is a good idea to indicate the algorithms that you will select in the name—for example, ESP3desMD5. 5. For Encapsulation Mode, select Transport Mode.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Note You could configure other settings. However, in that case, you could not use the New Connection Wizard to set up the VPN connection on the Windows client; instead, you would have to configure the IPsec settings for the connection manually and make sure to match the settings configured here. 6. For Security Protocol, select ESP. 7.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-190. Manage IPsec Wizard > Add IPsec Proposal Window (Filled In) 9. Click Next.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-191. Manage IPsec Wizard > Configuration Preview 10. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If the TMS zl Module is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box.Note that this will cause the participant to reboot.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs You must create the IPsec policy on each TMS zl Module individually. Repeat these steps on each module: 1. In the navigation tree, select the TMS zl Module within the TMS zl folder. 2. In the main configuration window, you should be at the TMS - VPN > IPsec tab. 3. You can add the IPsec policy in several ways: • You can click the IPsec Policies tab. Right-click the TMS zl Module’s name and select Add. Move to step 4 on page 4-279.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs i. In the first window, select IPsec Policy for Managed Objects and Add for Actions. Figure 4-194. Manage IPsec Wizard > Manage IPsec Main Menu Window ii. 4-278 Click Next.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-195. Manage IPsec Wizard > Add IPsec Policy (step 1) Window 4. For Policy Name, type an alphanumeric string between 1 and 32 characters. The string must be unique to this policy. 5. By default, the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to enable the policy later. 6.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs A default IPsec policy prevents all traffic from being encrypted by the VPN engine; therefore, all IPsec policies that you configure must have a higher priority than this default policy. Next, you configure the VPN traffic selector, which determines which traffic is selected by the policy. In this case, you configure the selector to select L2TP traffic between the TMS zl Module and remote endpoints.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-196. Example L2TP over IPsec VPN 3. For Traffic Selector, configure these settings: a. Note For Protocol, select UDP. Do not select (115) L2TP for Protocol. You must select UDP and then specify the L2TP port (1701) for the local and remote ports. L2TP needs to operate at Layer 4/5 in this case instead of at Layer 3. b.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs – e. Note If your L2TP clients have contiguous IP addresses, you can specify a range of IP addresses or a subnet. However, in that case, you could not use the New Connection Wizard to set up the VPN connection on the Windows client; instead, you would have to configure the IPsec settings for the connection manually, making sure to match the local address settings in the IP filter to the setting configured here.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-198. Manage IPsec Wizard > Add IPsec Policy (step 2) Window 6. For Key Exchange Method, keep the default, Auto (with IKEv1). 7. For IKEv1 Policy, select the previously configured IKEv1 policy. You must select a policy of the client-to-site type. 8. Leave the Enable PFS (Perfect Forward Secrecy) for keys check box clear. 9. For SA Lifetime in Seconds, leave the default 28800 (8 hours). 10.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-199. Manage IPsec Wizard > Add IPsec Policy (step 3) Window 13. Click Next. Figure 4-200.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs 14. If desired, configure settings in the Advanced Settings (Optional) section. a. Select the check boxes for the advanced features that you want to enable: – Enable re-key on sequence number overflow – – This setting is enabled by default. Enable persistent tunnel Enable fragment before IPsec This setting is enabled by default. For information and guidelines on these settings, see “Advanced IPsec Features” on page 4-21. b.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs 15. Click Next. Figure 4-201. Manage IPsec Wizard > Configuration Preview Window 16. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If any of the TMS zl Modules is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs See “Configure L2TP Authentication to an External RADIUS Server” on page 4-301. Configure Local L2TP Authentication When authenticating users to the local database, you must: Note 1. Create a user group for the L2TP over IPsec users. 2. Add L2TP dial-in users. You can authenticate a maximum of 100 L2TP users to the TMS zl Module’s local database.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs 4. For Managed Objects, select Group. For Action, select Add. Figure 4-203. Manage Users Wizard > Manage Users Main Menu 4-288 5. Click Next. 6. If the Select Devices window is displayed, select your TMS zl Module or modules from the Available Devices list. Click the arrow button to move it to the Selected Devices list. Then click Next.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-204. Manage Users Wizard > Select Devices Window 7. The Manage User group window is displayed.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-205. Manage Users Wizard > Manage User group Window 4-290 8. Click Add. 9. The Group Name field is populated with a default name. Change the name to a meaningful name for you.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-206. Manage Users Wizard > Manage User group Window 10. If you want, click Add and create other groups for your L2TP users. This will allow you to assign different rights to different remote users when you create firewall access policies. 11. Click Next.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-207. Manage Users Wizard > Summary of Changes Window 12. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If any of the TMS zl Modules is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to participant check box.Note that this will cause the participant to reboot.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Note You can authenticate only 100 L2TP users to the local database. If you need to authenticate more than 100 L2TP users, you must authenticate these users to an external RADIUS server. See “Configure L2TP Authentication to an External RADIUS Server” on page 4-301 for instructions. Follow these steps: 1. 2.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Manage Users Wizard Figure 4-209. PCM+ > TMS-Network Window i. Whichever way you launch the wizard, in the first window, select L2TP User for Managed Objects and Add for Actions. Figure 4-210. Manage Users Wizard > Manage Users Main Menu Window ii. Click Next. iii. Select your TMS zl Module or modules from the Available Devices list. Click the arrow button to move it to the Selected Devices list.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-211. Manage Users Wizard > Select Devices Window iv. Click Next.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-212. Manage Users Wizard > Manage L2TP User(s) Window 3. For User, type the username that the remote client will use to log on to the VPN connection. The name can be 1 to 16 alphanumeric characters. 4. For Password, type the password for the username. 5. For User Group, select one of the user groups that you configured on the TMS zl Module.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs 7. Under Tunnel Configuration, for Server IP Address, type the IP address and subnet prefix length of the TMS zl Module in its capacity as L2TP Network Server (LNS). For example, type 172.16.80.1. This is a virtual IP address in an unused subnet (the subnet must not be configured as a TMS VLAN or a VLAN on the host switch). The subnet will be automatically placed in the External zone. Use the same server IP address for each user’s account. 8.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-213. Manage Users Wizard > Manage L2TP User(s) (Filled In) Window 10. Click Add.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-214. Manage Users Wizard > Manage L2TP User(s) Window (Filled In) 11. The user is added under the TMS zl Module (or modules) in the left pane. 12. If you want, configure other users. When you are finished, click Next.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-215. Manage Users Wizard > Summary of Changes Window 13. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If any of the TMS zl Modules is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to participant check box.Note that this will cause the participant to reboot.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Configure L2TP Authentication to an External RADIUS Server When authenticating users to an external RADIUS server, you must: 1. Create user groups. See “Create a User Group” on page 4-301. 2. Specify a RADIUS server for the TMS zl Module to use (if you have not already done so). See “Specify a RADIUS Server” on page 4-307. 3. Configure RADIUS authentication for L2TP. See “Configure RADIUS Authentication for L2TP” on page 4-311. 4.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Manage Users Wizard Figure 4-216. PCM+ > TMS-Network Window 3. In the Manage Users Wizard, click Next. 4. For Managed Objects, select Group. For Action, select Add. Figure 4-217. Manage Users Wizard > Manage Users Main Menu 4-302 5. Click Next. 6. If the Select Devices window is displayed, select your TMS zl Module or modules from the Available Devices list. Click the arrow button to move it to the Selected Devices list.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-218. Manage Users Wizard > Select Devices Window 7. The Manage User group window is displayed. 8. Select your TMS zl Module or modules from the Available Devices list. Click the arrow button to move it to the Selected Devices list.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-219. Manage Users Wizard > Select Devices Window 9. 4-304 Click Next.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-220. Manage Users Wizard > Manage User group Window 10. Click Add. 11. The Group Name field is populated with a default name. Change the name to a meaningful name for you.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-221. Manage Users Wizard > Manage User group 12. If you want, click Add and create other groups for your L2TP users. This will allow you to assign different rights to different remote users when you create firewall access policies. 13. Click Next.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-222. Manage Users Wizard > Summary of Changes Window 14. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If any of the TMS zl Modules is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to participant check box.Note that this will cause the participant to reboot.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs 2. Click the TMS-Network > Authentication tab. Firewall Properties Wizard Figure 4-223. PCM+ > TMS-Network Window 3. Click the Firewall Properties Wizard icon. 4. Click Next. 5. For Select Property, select RADIUS Configuration. For Action, select Add. Figure 4-224. Firewall Properties Wizard > Select Configuration Property and Action 4-308 6. Click Next. 7. Select your TMS zl Module or modules from the Available Devices list.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-225. Firewall Properties Wizard > Select Devices Window 8. Click Next. Figure 4-226. Firewall Properties Wizard > RADIUS Configuration Window 9. Click ADD. 10. For Server Address, type the RADIUS server’s IP address.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs 11. For Secret and Confirm Secret, type the same shared secret configured on the RADIUS server for the TMS zl Module. 12. For NAS Identifier, type the string that you want the TMS zl Module to use to identify itself in RADIUS requests. 13. If you want, configure optional domain settings. The value that you configure for Domain Name determines the domain for L2TP users.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-228. Firewall Properties Wizard > Summary of Changes Window 16. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If any of the TMS zl Modules is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to participant check box.Note that this will cause the participant to reboot.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-229. PCM+ > Network > Authentication > RADIUS Related Configuration Window 3. Under your TMS zl Module, right-click mschap and select Modify. 4. Select the Use RADIUS to authenticate L2TP clients check box. 5. For L2TP Server IP Address, type the IP address that the TMS zl Module will use on L2TP connections. This IP address cannot be on a subnet that is already configured on the TMS zl Module.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-230. Manage RADIUS Settings 7. Click OK. Figure 4-231.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs 8. A window is displayed, showing the setting being applied to the TMS zl Module. When you see that they have been applied successfully, click Close. If your RADIUS server (or directory) does not provide dial-in addresses for authenticated L2TP clients, you must edit the RADIUS domain to create an IP address pool so that the TMS zl Module can assign the appropriate addresses.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-233. Manage L2TP Address Window 4. Leave the RADIUS Domain field at the autopopulated value. 5. For IP Pool Range, type an IP address range. These are the IP addresses that will be assigned to L2TP clients that authenticate to the RADIUS server. You can specify a range of up to 10,160 IP addresses. You should use the same subnet on which you specified the L2TP server IP address. 6.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-234. Manage L2TP Address Window (Filled In) 8. Click Update. 9. Click Next. Figure 4-235. Manage L2TP Address > Summary of Changes 10. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs If you need to change any settings, click Back until you reach the appropriate window and can select a different setting. When you are ready to apply the configuration, click Next in the Summary of Changes window. 11. A window is displayed, showing the setting being applied to the TMS zl Module. When you see that they have been applied successfully, click Close. Set Up a RADIUS Server to Work with the TMS zl Module.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs For example, if you are using the Microsoft IAS wizard to create your policy, the wizard will automatically add condition attributes that the TMS zl Module does not send (such as the connection type [NAS-Port-Type]). After you create the policy, edit it, deleting any attributes that the TMS zl Module does not use from the conditions. • The policy grants authenticated users access.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs This setting allows the TMS zl Module to assign IP addresses to users from the range configured in the TMS-Network > Authentication > L2TP Addresses window. Create Access Policies for an L2TP over IPsec VPN To permit VPN traffic, you must create firewall access policies on each TMS zl Module that supports an L2TP over IPsec VPN.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Figure 4-236. Example L2TP over IPsec VPN (with Zones) Finally, you must note the user group (or groups) to which L2TP users are assigned. Users are assigned to these groups by local L2TP user accounts or by an external RADIUS server. You will configure access policies that permit traffic between remote users and local services within these groups; this helps to ensure that only authorized remote users access your private network.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs For access policies that permit the traffic sent over the VPN, you should consider setting the TCP MSS to a value lower than the typical MSS used in your system—particularly, when IPsec fragmentation is disabled. Otherwise, the addition of the L2TP, IP delivery, and IPsec headers might make the packets too large to be transmitted. Table 4-36 suggests a conservative value for the TCP MSS when the MTU is 1500.
Configuring a VPN on the HP TMS zl Module L2TP over IPsec VPNs Verify Routes for the L2TP over IPsec VPN Verify that each TMS zl Module knows a route to the remote endpoints. This route can be a default route, a static route, or a route discovered through a dynamic routing protocol. The route’s forwarding interface must be the interface with the IP address that you specified as the local gateway address in the IKE policy (and as the local address in the IPsec policy).
Configuring a VPN on the HP TMS zl Module GRE Tunnels Figure 4-237. Routes for an L2TP over IPsec Client-to-Site VPN GRE Tunnels Generic Routing Encapsulation (GRE) is a Layer 2 protocol that can encapsulate any protocol that Ethernet can encapsulate. GRE tunneling establishes a virtual point-to-point connection between two devices across an intervening network. For example, you could use GRE to tunnel FTP or HTTP traffic between two networks across an intervening network.
Configuring a VPN on the HP TMS zl Module GRE Tunnels even configure the TMS zl module to exchange dynamic routing messages through the GRE tunnel. To send routing messages (RIP and OSPF) through a GRE tunnel, you must enable RIP or OSPF on the GRE tunnel. Because GRE tunnels do not encrypt traffic, you should configure GRE over IPsec for traffic that requires data integrity or data privacy.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Note The tunnel interface on the TMS zl Module will respond to keepalives from the remote tunnel gateway even when you do not enable keepalives on that interface. Therefore, you can set keepalives on one side of the tunnel but not the other if you want. However, only the side of the tunnel that sends keepalives will use the keepalives to determine the status of the tunnel; the other side will always consider the tunnel to be up.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Floating Static Routes Whenever you configure a GRE tunnel, you must configure routes to subnets behind the remote tunnel endpoint; the forwarding interface for these routes should be the tunnel interface. These routes can be static routes that you add manually (including default routes), or you can configure a routing protocol on the GRE tunnel to enable the module to discover dynamic routes.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Using named objects is best practice; however, you can specify IP addresses manually. See “Create Named Objects (Optional)” on page 4-327. 2. Create the GRE tunnel. See “Create a GRE Tunnel” on page 4-328. 3. Verify that there is a route to the remote tunnel gateway. See “Create Access Policies for a GRE Tunnel” on page 4-337. 4. Create firewall access policies to permit traffic associated with the GRE tunnel.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Table 4-37.
Configuring a VPN on the HP TMS zl Module GRE Tunnels • 3. If you want to configure multiple modules, select the TMS zl folder. In the main configuration window, click TMS - VPN and then click the GRE Tunnels tab. Figure 4-240. PCM+ > TMS-VPN > GRE Tunnels > GRE Tunnels Window 4. You can configure a GRE tunnel in one of two ways: • If you are configuring a single module, you can right-click the TMS zl Module’s name in the main configuration window and select Add. Move to step 6 on page 4-332.
Configuring a VPN on the HP TMS zl Module GRE Tunnels i. In the first window, click Next. Figure 4-242. Manage GRE Wizard > Select Action Window ii. Click Add and then click Next. iii. If you have launched the wizard from a specific TMS zl Module in the navigation tree, move to step 6 on page 4-332. iv. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Figure 4-243. Manage GRE Wizard > Select Devices Window v. 5. Click Next. The Configure GRE Tunnel parameters window is displayed. The window will differ slightly based on whether you are configuring a single TMS zl Module or multiple modules. The window for a multiple module configuration is displayed in Figure 4244. (The window for a single module configuration does not include the Devices list.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Figure 4-244. Manage GRE Wizard > Configure GRE Tunnel parameters Window 6. For Tunnel Name, type a name that is unique for this tunnel. The name can be from 1 to 10 alphanumeric characters. It is recommended that you use a name that indicates the destination of the tunnel. 7. By default, the Enable this tunnel check box is selected, which allows the GRE tunnel to be established as soon as you finish configuring it.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Figure 4-245. Example GRE Tunnel (Including Tunnel Interface) 8. For Tunnel IP Address, type the TMS zl Module’s IP address on the tunnel interface (indicated by 5 in the figure). This IP address is a virtual address, and it must not be part of an existing TMS VLAN or other subnet in your network. This address will be the source address for tunneled packets. 9.
Configuring a VPN on the HP TMS zl Module GRE Tunnels 13. To enable the keepalive feature for the GRE tunnel, select Tunnel Keepalive. a. For Period, type the interval, in seconds, between sending keepalives. This interval can be a short as 1 second or as long as 3600 seconds (1 hour). b. For Retry, type the number of keepalives for which the TMS zl Module can fail to receive a reply before it declares the tunnel to be “down” (1-255). Figure 4-246.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Also note that some GRE implementations allow for a key parameter to be specified, but the TMS zl Module does not support this parameter. If a GRE implementation has the key parameter specified, normal GRE traffic as well as keepalive traffic will not pass. 14. If you are configuring multiple modules, remember to select each device and configure its settings. 15. Click Next. The Summary of Changes window is displayed. Figure 4-247.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Figure 4-248. Manage GRE Wizard > Applying Settings Window 18. If the settings are successfully applied, click Close. The tunnel is now displayed in the TMS - VPN > GRE Tunnels > GRE Tunnels window. Figure 4-249.
Configuring a VPN on the HP TMS zl Module GRE Tunnels ■ Repeat these steps to create a redundant tunnel. (See “Configure a GRE Tunnel” on page 4-326.) ■ Create access policies for the GRE tunnel you just created. (Move to the next section.) ■ Secure the GRE tunnel with IPsec. (See “Configure a GRE over IPsec VPN with IKE” on page 4-340 or “Configure a GRE over IPsec VPN with Manual Keying” on page 4-373.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Table 4-38 lists the necessary access policies; the numbers in the Source and Destination columns refer to the example figure above. (Note that all of these policies are typically configured for the None User group. However, if local users log in through the module, then the access policies with the local zone as the source zone would use that user group.
Configuring a VPN on the HP TMS zl Module GRE Tunnels When Required Type • Dynamic routing over the tunnel • Default policies disabled • Dynamic routing over the tunnel • Default policies disabled From Zone To Zone Service Source Destination MSS Number of policies Multicast Tunnel SELF OSPF or RIP 6 Any Address — or multicast address 1 Multicast SELF Tunnel OSPF or RIP 5 Any Address — or multicast address 1 For step-by-step instructions on configuring access policies using the TMS mana
Configuring a VPN on the HP TMS zl Module GRE Tunnels it is best practice to add a specific static route to the tunnel destination address through the proper gateway. (Make sure to give this route an administrative distance lower than the routing protocol.) Figure 4-251. Example GRE over IPsec VPN (with tunnel interface) For more information about configuring routing on the TMS zl Module, see Chapter 7: Routing in the HP Threat Management Services zl Module Management and Configuration Guide.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Table 4-39.
Configuring a VPN on the HP TMS zl Module GRE Tunnels See “Create an IKE Policy for a GRE over IPsec VPN” on page 4-345. 5. Install certificates for IKE (optional). See “Install Certificates Manually” on page 4-394 or “Install Certificates Using SCEP” on page 4-418. 6. Create an IPsec proposal. The mode is typically transport mode because the TMS zl Module generates the GRE packets, but you can also use tunnel mode.
Configuring a VPN on the HP TMS zl Module GRE Tunnels After you create the named objects you want to use, configure the GRE tunnel, as outlined in “Configure a GRE Tunnel” on page 4-326. Table 4-40.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Verify That a Route to the Remote Tunnel Gateway Exists After you create the GRE tunnel (as described in “Configure a GRE Tunnel” on page 4-326), you must ensure that the TMS zl Module has a route to the tunnel’s destination address (indicated by 3 in the Figure 4-253). Without this route, the TMS zl Module cannot establish the GRE tunnel. The route can be to the specific address or any network that includes that address.
Configuring a VPN on the HP TMS zl Module GRE Tunnels For more information about configuring routing on the TMS zl Module, see Chapter 7: Routing in the HP Threat Management Services zl Module Management and Configuration Guide. (For additional information about configuring routing for VPNs, see Chapter 7: “Virtual Private Networks” in the HP Threat Management Services zl Module Management and Configuration Guide.
Configuring a VPN on the HP TMS zl Module GRE Tunnels • If you are configuring a single module, you can click the IKEv1 Policies tab. Right-click the TMS zl Module’s name in the main configuration window and select Add. Move to step 5 on page 4-348. Figure 4-255. PCM+ > TMS-VPN > IKEv1 Policies Window • You can also open the Manage IPsec wizard in one of these two ways (required when configuring multiple modules): – Right-click the folder or device and select TMS - VPN > Manage IPsec Wizard.
Configuring a VPN on the HP TMS zl Module GRE Tunnels i. Whichever way you open the wizard, in the first window, select IKEv1 Policy for Managed Objects and Add for Actions. Figure 4-257. Manage IPsec Wizard > Manage IPsec Main Menu ii. Click Next. If you have launched the wizard from a specific TMS zl Module in the navigation tree, move to step 5 on page 4-348. iii. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Figure 4-258. Manage IPsec Wizard > Select Devices iv. Click Next. 5. A window is displayed in which you configure IKE settings. The window will differ slightly based on whether you are configuring a single TMS zl Module or multiple modules. The window for a single module configuration is displayed in Figure 4135. (The window for a multiple module configuration includes the same settings but adds a Devices list.) 6.
Configuring a VPN on the HP TMS zl Module GRE Tunnels The TMS zl Module will respond to IKE messages from the gateway at the remote site. It will also initiate IKE when it receives traffic that is selected in the IPsec policy associated with this IKE policy but the IPsec SA is not active. Figure 4-259. Manage IPsec Wizard If you are configuring multiple modules, the next settings are module-specific.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Figure 4-260. Example GRE over IPsec VPN 8. For Local Gateway, specify the same IP address configured as the source IP address for the GRE tunnel (indicated by 1 in the figure and not the IP address on the tunnel subnet). You have two options: • Select IP Address and type the IP address in the box. • Select Use VLAN IP Address and select a VLAN from the list.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Note Later you will configure firewall access policies to allow the IKE messages from the remote gateway. 10. For Local ID, configure the ID that the TMS zl Module sends to authenticate itself. This ID must match exactly, in both type and value, the remote ID specified on the remote endpoint. For more information about ID types, see “IKE Phase 1” on page 4-14. a.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Figure 4-261. Manage IPsec Wizard > Add IKEv1 Policy (step 2) Window 13. Under IKE Authentication, configure these settings: a. For Key Exchange Mode, select Main Mode or Aggressive Mode. The mode must match that configured on the remote endpoint. See “IKE modes” on page 4-18 for guidelines. b.
Configuring a VPN on the HP TMS zl Module GRE Tunnels c. If you selected Preshared Key, type a string of 12 to 49 alphanumeric or special characters in the Preshared Key box. Type the same string in the Confirm Preshared Key box. The string (which is case-sensitive) must match that configured on the remote gateway. 14. Under Security Parameters Proposal, configure the security settings proposed by the TMS zl Module for the IKE SA: a.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Figure 4-262. Manage IPsec Wizard > Add IKEv1 Policy (step 3) Window 16. If you want, configure XAUTH, which is an optional additional layer of security. Otherwise, leave Disable XAUTH selected and move to step 17. You can configure the TMS zl Module to act either as a client (authenticate itself) or as a server (authenticate the remote gateway): • Select Enable XAUTH Server. i. For Authentication Type, select Generic or CHAP.
Configuring a VPN on the HP TMS zl Module GRE Tunnels For Authentication Type, select Generic or CHAP. For Username, type a username accepted by the remote gateway’s authentication server. iii. For Password, type the password associated with that username. i. ii. 17. Click Next. 18. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box.
Configuring a VPN on the HP TMS zl Module GRE Tunnels 3. You can add the IPsec proposal in several ways: • If you are configuring a single TMS zl Module, you can click the IPsec Proposals tab. Right-click the TMS zl Module’s name and select Add. Move to step 4 on page 4-359. Figure 4-263.
Configuring a VPN on the HP TMS zl Module GRE Tunnels i. In the first window, select IPsec Proposal for Managed Objects and Add for Actions. Figure 4-265. Manage IPsec Wizard > Manage IPsec Main Menu Window ii. Click Next. If you have launched the wizard from a specific TMS zl Module in the navigation tree, move to step 4 on page 4-359. iii. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Figure 4-266. Manage IPsec Wizard > Select Devices iv. Click Next. All of the IPsec proposals settings that you configure in the next wizard will be applied to each of the devices that you have selected.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Figure 4-267. Manage IPsec Wizard > Add IPsec Proposal Window 4. In the Add IPsec Proposal window, type a descriptive string of 1 to 32 alphanumeric characters for Proposal Name. The string must be unique to this proposal. Often, it is a good idea to indicate the algorithms that you will select in the name—for example, ESP3desMD5. 5. For Encapsulation Mode, typically select Transport Mode.
Configuring a VPN on the HP TMS zl Module GRE Tunnels • AES-192 (24) • AES-256 (32) The number in parentheses after AES options indicates the key length for the algorithm in bytes. 8. If you selected either ESP or AH, for Authentication Algorithm, select one of the following: • None You must not select None if you selected AH for the Security Protocol or if you selected NULL for the ESP Encryption Algorithm. 9. • MD5 • SHA-1 • AES-XCBC Click Next. 10.
Configuring a VPN on the HP TMS zl Module GRE Tunnels 1. In the navigation tree, click the module’s name within the TMS zl folder 2. In the main configuration window, move to the TMS - VPN > IPsec tab. 3. You can add the IPsec policy in several ways: • Click the IPsec Policies tab. Right-click the TMS zl Module’s name and select Add. Move to step 4 on page 4-363. Figure 4-268.
Configuring a VPN on the HP TMS zl Module GRE Tunnels i. In the first window, select IPsec Policy for Managed Objects and Add for Actions. Figure 4-270. Manage IPsec Wizard > Manage IPsec Main Menu Window ii. 4-362 Click Next.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Figure 4-271. Manage IPsec Wizard > Add IPsec Policy (step 1) Window 4. For Policy Name, type an alphanumeric string between 1 and 32 characters. The string must be unique to this policy. 5. By default the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to enable the policy later. 6.
Configuring a VPN on the HP TMS zl Module GRE Tunnels The position determines the order in which the TMS zl Module processes IPsec policies. The module processes the policy with the lowest value first (for example, position 1 before position 2). The position matters most when policies have overlapping traffic selectors. In this case, assign the highest position (lowest value) to the IPsec policy with the most specific traffic selector.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Note If your traffic selector will include traffic that is also selected for NAT, you must create a NAT exclusion policy. See Chapter 6: “Configuring the TMS zl Module Firewall.” Refer to Figure 4-272 for help configuring the traffic selector. Figure 4-272. Example GRE over IPsec VPN 3. 4. For Traffic Selector, configure these settings: a. For Protocol, specify 47 (GRE). b.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Figure 4-273. Manage IPsec Wizard > Add IPsec Policy (step 2) Window 6. For Key Exchange Method, keep the default, Auto (with IKEv1). 7. For IKEv1 Policy, select the IKEv1 policy that specifies the remote tunnel endpoint as the remote gateway. 8. Optionally, select the Enable PFS (Perfect Forward Secrecy) for keys check box, which forces the tunnel endpoints to generate new keys for the IPsec SA.
Configuring a VPN on the HP TMS zl Module GRE Tunnels This setting determines how long the IPsec SA remains open. When the lifetime of the SA reaches 80 percent of the total lifetime, the TMS zl Module checks whether the SA has experienced any activity. If it has, the module negotiates a new SA and then deletes the old SA. If the SA is inactive, the module waits for the complete lifetime to expire. Then, if the SA is still inactive, the module deletes the SA. The default value is 28800 (8 hours). 10.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Figure 4-274. Manage IPsec Wizard > Add IPsec Policy (step 3) Window 12. The Add IPsec Policy (step 3) window allows you to configure settings for IKE mode config, which is not valid for this type of VPN. Click Next.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Figure 4-275. Manage IPsec Wizard > Add IPsec Policy (step 4) Window 13. If desired, configure settings in the Advanced Settings (Optional) section. a. Select the check boxes for the advanced features that you want to enable: – Enable IP compression – Enable extended sequence number – Enable re-key on sequence number overflow – – This setting is enabled by default.
Configuring a VPN on the HP TMS zl Module GRE Tunnels – Copy DF bit from clear packet – The TMS zl Module copies the don’t fragment (DF) bit setting for the IPsec packet from the inner IP packet. Set DF bit – The module sets the DF bit for all IPsec packets. Clear DF bit The module clears the DF bit for all IPsec packets. See “The Copying of Values from the Original IP Header” on page 4-23 for more information. d. Under DSCP Options, choose how the TMS zl Module assigns DSCP values to IPsec packets.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Create Access Policies for a GRE over IPsec VPN That Uses IKE To permit the VPN traffic, you must create firewall access policies on each TMS zl Module that supports a GRE over IPsec tunnel. Before you begin configuring firewall access policies on a module, determine the zone on which traffic from the remote tunnel gateway arrives. This is the zone associated with the TMS VLAN on which the tunnel’s source IP address is configured.
Configuring a VPN on the HP TMS zl Module GRE Tunnels For access policies that permit the traffic sent over the tunnel, you should consider setting the TCP MSS to a value lower than the typical MSS used in your system. Otherwise, the addition of the GRE and IP delivery headers might make the packets too large to be transmitted. Table 4-42 suggests a value for the TCP MSS when the MTU is 1500.
Configuring a VPN on the HP TMS zl Module GRE Tunnels When Required Type From Zone To Zone Service Source Destination MSS Number of policies • Dynamic routing over the tunnel • Default policies disabled Unicast SELF Tunnel OSPF or RIP 5 6 — 1 • Dynamic routing over the tunnel • Default policies disabled Multicast Tunnel SELF OSPF or RIP 6 Any Address — or multicast address 1 • Dynamic routing over the tunnel • Default policies disabled Multicast SELF Tunnel OSPF or RIP 5 Any Add
Configuring a VPN on the HP TMS zl Module GRE Tunnels • Lengthy keys can be mistyped. • Keys can be difficult to manage with multiple remote sites. • Manual keying cannot be used to create a site-to-site IPsec VPN with the HP Secure Router 7000dl series. • Manual keying cannot be used to configure a client-to-site VPN or with IKE mode config. You will use the Manage IPsec wizard to create IPsec proposals and IPsec policies for this type of VPN.
Configuring a VPN on the HP TMS zl Module GRE Tunnels 7. Configure global IPsec settings (optional). See “Configure Global IPsec Settings” on page 4-429. 8. Configure the remote GRE over IPsec gateway with compatible settings. See you gateway device’s configuration guide for instructions. Create Named Objects (Optional) You might want to configure the named objects listed in Table 4-43. For your reference, this table includes the location where you would specify these named objects.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Example Figure Reference Named Object Description Named Object Type Location Where the Named Object is Specified 4 The IP addresses of endpoints behind the remote tunnel gateway Single-entry or multiple-entry IP, range, or network address objects Source or Destination for firewall access policies that permit traffic sent across the VPN Figure 4-277.
Configuring a VPN on the HP TMS zl Module GRE Tunnels add it to its routing table. This causes causing recursive routing, which shuts the tunnel down. Therefore, if you plan to use dynamic routing on the tunnel, it is best practice to add a specific static route to the tunnel destination address through the proper gateway. (Make sure to give this route an administrative distance lower than the routing protocol.) Figure 4-278.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Follow these steps to configure an IPsec proposal: 1. Verify that you are at the correct level in the navigation tree: • To configure a single TMS zl Module, the device’s name within the TMS zl folder. • To configure multiple modules, the TMS zl folder itself. 2. In the main configuration window, you should be at the TMS - VPN > IPsec tab. 3.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Manage IPsec Wizard Figure 4-280. PCM+ > TMS-VPN > IPsec Window (Manage IPsec Wizard) i. In the first window, select IPsec Proposal for Managed Objects and Add for Actions. Figure 4-281. Manage IPsec Wizard > Manage IPsec Main Menu Window ii. Click Next. If you have launched the wizard from a specific TMS zl Module in the navigation tree, move to step 4 on page 4-381.
Configuring a VPN on the HP TMS zl Module GRE Tunnels iii. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed. Select the modules that you want to configure (you can press and hold [Ctrl] to select multiple modules) and click the arrow button to move them to the Selected Devices list. Figure 4-282. Manage IPsec Wizard > Select Devices iv. Click Next.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Figure 4-283. Manage IPsec Wizard > Add IPsec Proposal Window 4. In the Add IPsec Proposal window, type a descriptive string of 1 to 32 alphanumeric characters for Proposal Name. The string must be unique to this proposal. Often, it is a good idea to indicate the algorithms that you will select in the name—for example, ESP3desMD5. 5. For Encapsulation Mode, select Transport Mode.
Configuring a VPN on the HP TMS zl Module GRE Tunnels • AES-192 (24) • AES-256 (32) The number in parentheses after AES options indicates the key length for the algorithm in bytes. 8. If you selected either ESP or AH, for Authentication Algorithm, select one of the following: • None You must not select None if you selected AH for the Security Protocol or if you selected NULL for the ESP Encryption Algorithm. 9. • MD5 • SHA-1 • AES-XCBC Click OK. 10.
Configuring a VPN on the HP TMS zl Module GRE Tunnels 2. In the main configuration window, move to the TMS - VPN > IPsec tab. 3. You can add the IPsec policy in several ways: • Click the IPsec Policies tab. Right-click the TMS zl Module’s name and select Add. Move to step 4 on page 4-385. Figure 4-284.
Configuring a VPN on the HP TMS zl Module GRE Tunnels i. In the first window, select IPsec Policy for Managed Objects and Add for Actions. Figure 4-286. Manage IPsec Wizard > Manage IPsec Main Menu Window ii. 4-384 Click Next.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Figure 4-287. Manage IPsec Wizard > Add IPsec Policy (step 1) Window 4. For Policy Name, type an alphanumeric string between 1 and 32 characters. The string must be unique to this policy. 5. By default, the Enable this policy check box is selected, which means that the policy will begin taking effect as soon as you finish it. Clear the check box if you want to enable the policy later. 6. For Action, keep the default, Apply. 7.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Next, you configure the VPN traffic selector, which determines which traffic will use the VPN tunnel. For a GRE over IPsec VPN, the traffic selector must specify the GRE traffic between the TMS zl Module and the remote tunnel endpoint. Caution For this policy, you will specify a local TMS zl Module IP address. Be very careful to specify GRE for the protocol.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Figure 4-288. Example GRE over IPsec VPN 3. 4. For Traffic Selector, configure these settings: a. For Protocol, specify 47 (GRE). b. For Local Address, specify the local gateway address for the GRE tunnel (indicated by 1 in the figure and not the IP address on the tunnel subnet). c. For Remote Address, specify the remote gateway address for the GRE tunnel (indicated by 3 in the figure and not the IP address on the tunnel subnet).
Configuring a VPN on the HP TMS zl Module GRE Tunnels Figure 4-289. Manage IPsec Wizard > Add IPsec Policy (step 2) Window 7. For Local Gateway, specify the same module IP address that you specified for the local address in the traffic selector. You have two options: • Select IP Address and type the IP address in the box. • Select Use VLAN IP Address and select the VLAN to which this address is assigned. 8.
Configuring a VPN on the HP TMS zl Module GRE Tunnels b. For Inbound Encryption Key (ESP only), type a character string of the specified length. The string must match the outbound encryption key on the remote gateway. It is best practice to use a mix of character types (alphanumeric and special) and not to use dictionary words. c. For Outbound Encryption Key (ESP only), type a character string of the specified length. The string must match the inbound encryption key on the remote gateway. d.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Figure 4-291. Manage IPsec Wizard > Add IPsec Policy Window (Step 4) 12. If desired, configure settings in the Advanced Settings (Optional) section. a. Select the check boxes for the advanced features that you want to enable: – Enable IP compression – Enable fragment before IPsec This setting is enabled by default. For information and guidelines on these settings, see “Advanced IPsec Features” on page 4-21. b.
Configuring a VPN on the HP TMS zl Module GRE Tunnels – The module sets the DF bit for all IPsec packets. Clear DF bit The module clears the DF bit for all IPsec packets. See “The Copying of Values from the Original IP Header” on page 4-23 for more information. d. Under DSCP Options, choose how the TMS zl Module assigns DSCP values to IPsec packets. Either: – Select Copy DSCP value from clear packet. – The TMS zl Module assigns each IPsec packet the DSCP value assigned to the original IP packet.
Configuring a VPN on the HP TMS zl Module GRE Tunnels Create Access Policies for a GRE over IPsec VPN That Uses Manual Keying To permit the VPN traffic, you must create firewall access policies on each TMS zl Module on which you configured a GRE over IPsec VPN. Before you begin configuring firewall access policies on a module, determine the zone on which traffic from the remote tunnel gateway arrives. This is the zone associated with the TMS VLAN on which the tunnel’s source IP address is configured.
Configuring a VPN on the HP TMS zl Module GRE Tunnels For access policies that permit the traffic sent over the tunnel, you should consider setting the TCP MSS to a value lower than the typical MSS used in your system. Otherwise, the addition of the GRE and IP delivery headers might make the packets too large to be transmitted. Table 4-44 suggests a value for the TCP MSS when the MTU is 1500.
Configuring a VPN on the HP TMS zl Module Manage Certificates When Required Type From Zone To Zone Service Source Destination MSS Number of policies Multicast Tunnel • Dynamic routing over the tunnel • Default policies disabled SELF OSPF or RIP 6 Any Address — or multicast address 1 Multicast SELF • Dynamic routing over the tunnel • Default policies disabled Tunnel OSPF or RIP 5 Any Address — or multicast address 1 Manage Certificates If you selected certificates for the IKE authenticati
Configuring a VPN on the HP TMS zl Module Manage Certificates 2. It is important that you are at the correct level in the navigation tree when you launch the Manage GRE wizard: • To configure one TMS zl Module, select the module in the navigation tree. • If you want to configure multiple modules, select the TMS zl folder. 3. In the main configuration window, click TMS - VPN. 4. Click the Certificates tab.
Configuring a VPN on the HP TMS zl Module Manage Certificates i. In the first window, select Private Key for Managed Objects and Generate for Action. Figure 4-294. Manage Certificates Wizard > Manage Certificates Main Menu ii. Click Next. iii. If you have launched the wizard from a specific TMS zl Module in the navigation tree, move to step 2 on page 4-397. iv. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed.
Configuring a VPN on the HP TMS zl Module Manage Certificates Figure 4-295. Manage Certificates Wizard > Generate Private Key 2. For Private Key Identifier, type a descriptive string between 1 and 31 alphanumeric characters. The string must be unique to this key on each selected module. 3. For Key Algorithm, select RSA or DSA. When you configured the IKEv1 policy, you selected DSA Signature or RSA Signature for Authentication Method. Match this setting. 4.
Configuring a VPN on the HP TMS zl Module Manage Certificates Figure 4-296. Manage Certificates Wizard > Configuration Preview 6. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If the TMS zl Module is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box.Note that this will cause the participant to reboot.
Configuring a VPN on the HP TMS zl Module Manage Certificates Figure 4-297. Manage Certificates Wizard > Applying Settings 7. The key is generated and installed on the TMS zl Module. After the process completes successfully, close the window. Move to “Create a Certificate Request” on page 4-403. Import a Private Key. You can also import a private key that was generated elsewhere: 1. Transfer the private key to an FTP, TFTP, or SCP server.
Configuring a VPN on the HP TMS zl Module Manage Certificates Manage Certificates Wizard Figure 4-298. PCM+ > TMS-VPN > Certificates > Private Keys Window • You can also launch the Manage Certificates wizard in one of two ways (required when you are configuring multiple modules): – Right-click the TMS zl folder or the module node in the navigation tree. Select TMS - VPN > Manage Certificates. – Click the Manage Certificates Wizard icon. i.
Configuring a VPN on the HP TMS zl Module Manage Certificates ii. Click Next. iii. If you have launched the wizard from a specific TMS zl Module in the navigation tree, move to step 3 on page 4-401. iv. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed. Select the modules that you want to configure (you can press and hold [Ctrl] to select multiple modules) and click the arrow button to move them to the Selected Devices list. v. Click Next. 3.
Configuring a VPN on the HP TMS zl Module Manage Certificates 6. For Server IP address, type the name of the IP address of the server where you placed the CA certificate. 7. For File Name, type the certificate’s file name, including the path if the certificate is not in the root folder. 8. If necessary for your file transfer server, type a valid username and password. 9. Click Next. Figure 4-301. Manage Certificates Wizard > Configuration Preview 10.
Configuring a VPN on the HP TMS zl Module Manage Certificates Figure 4-302. Manage Certificates Wizard > Applying Settings 11. The key is downloaded and installed on the TMS zl Module. After the process completes successfully, close the window. 12. It is best practice to delete the key from the file transfer server. Create a Certificate Request Next, create a certificate request. 1. In the PCM+ navigation tree, expand the Network Management Home > Agent Groups > Default Agent Group > Devices > TMS zl.
Configuring a VPN on the HP TMS zl Module Manage Certificates Manage Certificates Wizard Figure 4-303. PCM+ > TMS-VPN > Certificates > Certificate Requests Window • You can also open the Manage Certificate wizard in one of these two ways (required when you are configuring multiple modules): – Right-click the selected folder or node in the navigation tree. Select TMS-VPN > Manage Certificates. – Click the Manage Certificates Wizard icon in the toolbar. i.
Configuring a VPN on the HP TMS zl Module Manage Certificates iv. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed. Select the modules that you want to configure (you can press and hold [Ctrl] to select multiple modules) and click the arrow button to move them to the Selected Devices list. v. Click Next. 6. The Generate Certificate window will differ slightly based on whether you are configuring a single TMS zl Module or multiple modules.
Configuring a VPN on the HP TMS zl Module Manage Certificates You must select the same algorithm that is used by the private key. That is, select MD5 with RSA or SHA-1 with RSA for an RSA key; select SHA-1 with DSA for a DSA key. 9. For Private Key Identifier, select the private key that you added in “Generate or Install a Private Key” on page 4-394. 10. For Subject Name, type the FQDN of the TMS zl Module. Use the format . For example, type TMS.hplabs.com.
Configuring a VPN on the HP TMS zl Module Manage Certificates Figure 4-306. Manage Certificates Wizard > Generate Certificate (Filled In) 12. If you are configuring multiple modules, remember to select each and configure its settings. 13. Click Next. Figure 4-307.
Configuring a VPN on the HP TMS zl Module Manage Certificates 14. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If the TMS zl Module is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box.Note that this will cause the participant to reboot.
Configuring a VPN on the HP TMS zl Module Manage Certificates 17. Beginning at ---BEGIN CERTIFICATE REQUEST--- and ending at ___END CERTIFICATE REQUEST---, select the data. Copy it (for example, by pressing [Ctrl + c]) and paste it in a document created in a text editor. Save the file (if necessary, using the file extension required by your CA). 18. Submit the certificate request file to your CA. Request that certificate files be returned to you in PEM or DER format. 19.
Configuring a VPN on the HP TMS zl Module Manage Certificates i. In the first window, select CA Certificate for Managed Objects and Import for Action. Figure 4-310. Manage Certificates Wizard > Manage Certificates Main Menu ii. Click Next. iii. If you have launched the wizard from a specific TMS zl Module in the navigation tree, move to step 3 on page 4-411. iv. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed.
Configuring a VPN on the HP TMS zl Module Manage Certificates Figure 4-311. Manage Certificates Wizard > Import CA Certificates 3. For Protocol, select FTP, TFTP, or SCP. 4. For Server IP Address, type the name or the IP address of the server where you placed the CA certificate. 5. For File Name, type the certificate’s file name, including the path if the certificate is not in the root folder. 6. If necessary for your file transfer server, type a valid username and password. 7. Click Next.
Configuring a VPN on the HP TMS zl Module Manage Certificates Figure 4-312. Manage Certificates Wizard > Configuration Preview 8. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If the TMS zl Module is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box.Note that this will cause the participant to reboot.
Configuring a VPN on the HP TMS zl Module Manage Certificates • If you are configuring a single module, click the IPsec Certificates tab. Right-click the TMS zl Module’s name in the main configuration window and select Import. Move to step 3 on page 4-414. Manage Certificates Wizard Figure 4-313.
Configuring a VPN on the HP TMS zl Module Manage Certificates i. In the first window, select IPsec Certificate for Managed Objects and Import for Action. Figure 4-314. Manage Certificates Wizard > Manage Certificates Main Menu ii. Click Next. iii. If you have launched the wizard from a specific TMS zl Module in the navigation tree, move to step 3 on page 4-414. iv. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed.
Configuring a VPN on the HP TMS zl Module Manage Certificates Figure 4-315. Manage Certificates Wizard > Configuration Preview 8. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If the TMS zl Module is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box.Note that this will cause the participant to reboot.
Configuring a VPN on the HP TMS zl Module Manage Certificates Manage Certificates Wizard Figure 4-316. PCM+ > TMS-VPN > Certificates > CRL Window • You can also open the Manage Certificate wizard in one of two ways: – Right-click the TMS zl folder or module name in the navigation tree. Select TMS-VPN > Manage Certificates. – Click the Manage Certificates icon in the toolbar. i. In the first window, select CRL for Managed Objects and Import for Action. Figure 4-317.
Configuring a VPN on the HP TMS zl Module Manage Certificates iii. If you have launched the wizard from a specific TMS zl Module in the navigation tree, move to step 2 on page 4-417. iv. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed. Select the modules that you want to configure (you can press and hold [Ctrl] to select multiple modules) and click the arrow button to move them to the Selected Devices list. v. Click Next. 2. For Protocol, select FTP, TFTP, or SCP.
Configuring a VPN on the HP TMS zl Module Manage Certificates Figure 4-319. Manage Certificates Wizard > Configuration Preview 7. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If the TMS zl Module is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box.Note that this will cause the participant to reboot.
Configuring a VPN on the HP TMS zl Module Manage Certificates Complete the sections below to install certificates automatically using SCEP. Configure SCEP Settings Before you can retrieve the certificates, you must configure the SCEP settings: 1. In the PCM+ navigation tree, expand Network Management Home > Agent Groups > Default Agent Group > Devices > TMS zl. 2. Select the IP address of the TMS zl Module on which you want to configure a VPN. 3. In the main configuration window, click TMS - VPN. 4.
Configuring a VPN on the HP TMS zl Module Manage Certificates i. Whichever way you open the wizard, in the first window, select SCEP Settings for Managed Objects and Edit for Action. Figure 4-320. Manage Certificates Wizard > Manage Certificates Main Menu ii. Click Next. iii. If you have launched the wizard from a specific TMS zl Module in the navigation tree, move to step 6 on page 4-421. iv. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed.
Configuring a VPN on the HP TMS zl Module Manage Certificates Figure 4-321. Manage Certificates Wizard > Edit SCEP Settings 6. Select the Enable SCEP Server check box. 7. For SCEP Server IP Address/Domain Name, type either the IP address or FQDN of your CA server. The CA must, of course, support SCEP. 8. For SCEP Server Port, type the port number on which your CA server listens for SCEP messages. The default port is 80. 9.
Configuring a VPN on the HP TMS zl Module Manage Certificates Figure 4-322. Manage Certificates Wizard > Configuration Preview 12. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If the TMS zl Module is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box.Note that this will cause the participant to reboot.
Configuring a VPN on the HP TMS zl Module Manage Certificates Manage Certificates Wizard Figure 4-323. PCM+ > TMS-VPN > Certificates > CA Certificates Window • You can also open the Manage Certificate wizard in one of two ways (required when you are retrieving certificates to multiple modules): – Right-click the TMS zl folder or module name in the navigation tree. Select TMS-VPN > Manage Certificates. – Click the Manage Certificates Wizard icon in the toolbar. i.
Configuring a VPN on the HP TMS zl Module Manage Certificates iii. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed. Select the modules that you want to configure (you can press and hold [Ctrl] to select multiple modules) and click the arrow button to move them to the Selected Devices list. Click Next. Figure 4-325. Manage Certificates Wizard > Configuration Preview 3. Review the configuration settings you have selected.
Configuring a VPN on the HP TMS zl Module Manage Certificates Note Ask your CA administrator if you need a particular CGI path to the CRL distribution point. (For example, for a Windows 2008 CA, /CertEnroll/.crl might be the correct CGI path.) If you need to change the SCEP settings, follow the steps in “Configure SCEP Settings” on page 4-419. Follow these steps: 1. 2. In the navigation tree, you should be at the TMS zl folder or a device listed in that folder.
Configuring a VPN on the HP TMS zl Module Manage Certificates iii. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed. Select the modules that you want to configure (you can press and hold [Ctrl] to select multiple modules) and click the arrow button to move them to the Selected Devices list. Click Next. 3. The window looks slightly different depending on whether you have selected multiple modules.
Configuring a VPN on the HP TMS zl Module Manage Certificates Retrieve the IPsec Certificate Next, you must import the TMS zl Module’s certificate. Contact your CA’s representatives and make sure that the CA is ready to issue the module a certificate. (Also, if you changed the CGI path to install the CRL, return to the SCEP tab and change the path to the correct one for the installing the module’s certificate.) Then follow these steps: 1.
Configuring a VPN on the HP TMS zl Module Manage Certificates 3. The window is slightly different depending whether you have selected multiple modules. If you have, you must select each module in the Available Devices list and configure the settings for that module individually. Figure 4-329. Manage Certificates Wizard > Retrieve IPsec certificate through SCEP Window 4. For Subject Name, typically you type the TMS zl Module’s FQDN after /CN=.
Configuring a VPN on the HP TMS zl Module Configure Global IPsec Settings A challenge password is typically used to revoke a certificate, but your CA may also require you to enter a challenge password to request a certificate. If your CA does not require a password, leave this box empty. 9. For Identifier to store Private Key, type a string between 1 and 31 alphanumeric characters. The string must be unique to this private key. 10.
Configuring a VPN on the HP TMS zl Module Configure Global IPsec Settings ■ You can launch the Manage IPsec wizard and select the modules and settings to be configured from there. This option enables you to manage multiple modules at once. See step 2 on 4-430. 1. Follow these steps to reach the configuration window: a. In the navigation tree, expand the Network Management Home > Agent Groups > [my group] folders. You can either select the TMS zl folder or expand the folder and select a specific module.
Configuring a VPN on the HP TMS zl Module Configure Global IPsec Settings c. In the Main Menu window, for Object, select IPsec settings. For Action, select Edit. d. Click Next. If you have launched the wizard from a specific TMS zl Module in the navigation tree, move to step 3 on 4-432. e. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed.
Configuring a VPN on the HP TMS zl Module Configure Global IPsec Settings Figure 4-332. Manage IPsec Wizard > Edit IPsec Settings 3. By default, the Enable IPsec check box is selected: • Clear the check box to disable IPsec VPN functionality on the entire TMS zl Module. When this setting is disabled, the module will not act as a VPN gateway, initiate VPN tunnels, nor respond to IKE and IPsec messages from remote endpoints.
Configuring a VPN on the HP TMS zl Module Configure Global IPsec Settings By default, this check box is selected. 5. For Maximum SA per Policy, type the maximum number of SAs that can be established using each IPsec policy. The valid range is 2 to 10000. The default is 10000. Each connection to a remote client requires 2 SAs (one inbound and one outbound). Note that although you can define up 10000 SAs per policy, only 4800 sessions can be open concurrently.
Configuring a VPN on the HP TMS zl Module Bypass and Deny IPsec Policies Bypass and Deny IPsec Policies Bypass and Deny IPsec policies allow the TMS zl Module to select a subset of the traffic in a VPN for different handling. Bypass Policies The TMS zl Module forwards traffic that matches Bypass policies but it does not secure it with an IPsec SA. By default, the module has a Bypass policy that selects all traffic, allowing non-VPN traffic that the firewall permits to reach its destination.
Configuring a VPN on the HP TMS zl Module Bypass and Deny IPsec Policies 2. In the main configuration window, move to the TMS - VPN > IPsec tab. 3. You can add the IPsec policy in several ways: • Click the IPsec Policies tab. Right-click the TMS zl Module’s name and select Add. Move to step 4 on page 4-436. Figure 4-333.
Configuring a VPN on the HP TMS zl Module Bypass and Deny IPsec Policies i. In the first window, select IPsec Policy for Managed Objects and Add for Actions. Figure 4-335. Manage IPsec Wizard > Manage IPsec Main Menu Window ii. 4-436 Click Next. 4. For Policy Name, type an alphanumeric string between 1 and 10 characters. The string must be unique to this policy. 5. The policy does not take effect until it is enabled.
Configuring a VPN on the HP TMS zl Module Bypass and Deny IPsec Policies Figure 4-336. Manage IPsec Wizard > Add IPsec Policy (step 1) Window 7. Select an option for Direction: • Both • Inbound • Outbound The default selection is Both, which means that the policy applies to both inbound and outbound traffic. 8. For Position, type a number. The position determines the order in which the TMS zl Module processes IPsec policies.
Configuring a VPN on the HP TMS zl Module Bypass and Deny IPsec Policies A default IPsec Bypass policy prevents all traffic from being encrypted by the VPN engine; therefore, all IPsec policies that you configure must have a higher priority than this default policy. Next, you configure the VPN traffic selector, which determines which traffic is selected by the policy. For example, the selector might specify all IP traffic between 192.168.2.0/24 (a local network) and 192.168.3.0/24 (a remote network). 9.
Configuring a VPN on the HP TMS zl Module Managing VPNs 10. Click OK. 11. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If the TMS zl Module is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box.Note that this will cause the participant to reboot.
Configuring a VPN on the HP TMS zl Module Managing VPNs 3. Expand the Filters section if you want to view only certain IKE policies. You can apply filters based on name, type (client-to-site or site-to-site), local gateway, remote gateway, or authentication method (DSA signature, preshared key, or RSA signature). 4. Select the IKE policy that you want to view. 5. Move the bottom section of the window up or down as needed to view the IKE policy settings. Figure 4-337.
Configuring a VPN on the HP TMS zl Module Managing VPNs Figure 4-338. PCM+ > TMS-VPN > IPsec Window 3. You can edit the IKE policy in several ways: • You can click the IKEv1 Policies tab. Expand the TMS zl Module. Rightclick the name of the policy that you want to configure and select Edit. Move to step 4 on page 4-443. • You can also open the Manage IPsec wizard in one of these two ways: – Right-click the folder or device and select TMS - VPN > Manage IPsec Wizard.
Configuring a VPN on the HP TMS zl Module Managing VPNs Manage IPsec Wizard Figure 4-339. PCM > TMS-VPN Window (Manage IPsec Wizard) i. Whichever way you open the wizard, in the first window, select IKEv1 Policy for Managed Objects and Edit for Actions. ii. Click Next. iii. If you launched the wizard from the folder level, you must select a single device and move it to the right section. Click Next. iv. In the window that is displayed, select the single IKE policy that you want to edit.
Configuring a VPN on the HP TMS zl Module Managing VPNs Figure 4-340. Manage IPsec Wizard 4. Edit any settings on this window. Then click Next to view the next configuration window, editing any settings on that window. Continue this process until the Configuration Preview window is displayed. 5. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box.
Configuring a VPN on the HP TMS zl Module Managing VPNs Deleting IKE Policies To delete an IKE policy or policies, complete the following steps: 1. 2. Navigate to the correct location in the PCM+ navigation tree: • To delete policies from multiple TMS zl Modules, the TMS zl folder • To delete policies from a single module, that module within the folder. In the main configuration window, click TMS - VPN and then click the IPsec tab. Figure 4-341. PCM+ >TMS-VPN > IPsec Window 3.
Configuring a VPN on the HP TMS zl Module Managing VPNs Manage IPsec Wizard Figure 4-342. PCM+ > TMS-VPN > IPsec Window (Manage IPsec Wizard) i. Whichever way you open the wizard, in the first window, select IKEv1 Policy for Managed Objects and Delete for Actions. ii. Click Next. iii. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed.
Configuring a VPN on the HP TMS zl Module Managing VPNs Figure 4-343. Manage IPsec Wizard > Select Devices iv. Click Next. v. In the window that is displayed, select the IKE policies that you want to delete. Click the arrow button to move it to the right section. You can hold down [Ctrl] while you click to select multiple policies at once. vi. Click Next. 4. If an IKE policy is being used by an IPsec policy, you will receive an error message, telling you that the IKE policy is in use.
Configuring a VPN on the HP TMS zl Module Managing VPNs Figure 4-344. Manage IPsec Wizard > Configuration Preview 5. Review the policies that you have selected for deletion. If you want to save the changes as well as apply them, select the Save Configuration check box. If any of the TMS zl Modules is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box.Note that this will cause the participant to reboot.
Configuring a VPN on the HP TMS zl Module Managing VPNs Managing IPsec Proposals You can use the TMS management capabilities of NIM to view, edit, or delete the IPsec proposals that have been created on your TMS zl Modules. Viewing an IPsec Proposal To view an IPsec proposal, complete the following steps: 1. In the PCM+ navigation tree, locate and select the TMS zl Module that has the IPsec proposal that you want to view. 2.
Configuring a VPN on the HP TMS zl Module Managing VPNs 1. In the PCM+ navigation tree you can be at the TMS zl folder or at a module within the folder. 2. In the main configuration window, click TMS - VPN and then click the IPsec tab. Figure 4-346. PCM+ >TMS-VPN > IPsec Window 3. You can edit the IPsec proposal in several ways: • You can click the IPsec Proposal tab. Expand the TMS zl Module. Rightclick the name of the proposal that you want to configure and select Edit.
Configuring a VPN on the HP TMS zl Module Managing VPNs Manage IPsec Wizard Figure 4-347. PCM+ > TMS-VPN Window (Manage IPsec Wizard) i. Whichever way you open the wizard, in the first window, select IKEv1 Policy for Managed Objects and Edit for Actions. ii. Click Next. iii. If you launched the wizard from the folder level, you must select a single device and move it to the right section. Click Next. iv. In the window that is displayed, select the single IPsec proposal that you want to edit.
Configuring a VPN on the HP TMS zl Module Managing VPNs Figure 4-348. Manage IPsec Wizard > Edit IPsec Proposal Window 5. Click Next. The Configuration Preview window is displayed. 6. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box. If the TMS zl Module is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box.
Configuring a VPN on the HP TMS zl Module Managing VPNs Deleting IPsec Proposals To delete an IPsec proposal or proposals, complete the following steps: To delete an IKE policy or policies, complete the following steps: 1. 2. Navigate to the correct location in the PCM+ navigation tree: • To delete proposals from multiple TMS zl Modules, the TMS zl folder • To delete proposals from a single module, that module within the folder.
Configuring a VPN on the HP TMS zl Module Managing VPNs Manage IPsec Wizard Figure 4-350. PCM+ > TMS-VPN > IPsec Window (Manage IPsec Wizard) i. Whichever way you open the wizard, in the first window, select IPsec Proposal for Managed Objects and Delete for Actions. ii. Click Next. iii. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed.
Configuring a VPN on the HP TMS zl Module Managing VPNs Figure 4-351. Manage IPsec Wizard > Select Devices iv. Click Next. v. In the window that is displayed, select the IPsec proposals that you want to delete. Click the arrow button to move it to the right section. You can hold down [Ctrl] while you click to select multiple policies at once. vi. Click Next. 4. If the IPsec proposal is being used by an IPsec policy, you will receive an error message, telling you that the proposal is in use.
Configuring a VPN on the HP TMS zl Module Managing VPNs Figure 4-352. Manage IPsec Wizard > Configuration Preview 5. Review the proposals that you have selected for deletion. If you want to save the changes as well as apply them, select the Save Configuration check box. If any of the TMS zl Modules is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box. Note that this will cause the participant to reboot.
Configuring a VPN on the HP TMS zl Module Managing VPNs Managing IPsec Policies You can use the TMS management capabilities of NIM to view, edit, or delete the IPsec policies that have been created on your TMS zl Modules. Viewing an IPsec Policy To view an IKE policy, complete the following steps: 4-456 1. In the PCM+ navigation tree, locate and select the TMS zl Module that has the IPsec policy that you want to edit. 2.
Configuring a VPN on the HP TMS zl Module Managing VPNs Figure 4-353. PCM+ > TMS-VPN > IPsec > IPsec Policies 4. Select the IPsec policy that you want to view. 5. Move the bottom section of the window up or down as needed to view the IPsec policy settings. Editing an IPsec Policy You can edit only one IPsec policy at once. To edit IPsec policy, complete the following steps: 1. In the PCM+ navigation tree you can be at the TMS zl folder or at a module within the folder. 2.
Configuring a VPN on the HP TMS zl Module Managing VPNs Figure 4-354. PCM+ >TMS-VPN > IPsec Window 3. 4-458 You can edit the IPsec policy in several ways: • You can click the IPsec Policies tab. Expand the TMS zl Module. Rightclick the name of the policy that you want to configure and select Edit. Move to step 4 on page 4-459. • You can also open the Manage IPsec wizard in one of these two ways: – Right-click the folder or device and select TMS - VPN > Manage IPsec Wizard.
Configuring a VPN on the HP TMS zl Module Managing VPNs Manage IPsec Wizard Figure 4-355. PCM+ > TMS-VPN Window (Manage IPsec Wizard) i. Whichever way you open the wizard, in the first window, select IPsec Policy for Managed Objects and Edit for Actions. ii. Click Next. iii. If you launched the wizard from the folder level, you must select a single device and move it to the right section. Click Next. iv. In the window that is displayed, select the single IKE policy that you want to edit.
Configuring a VPN on the HP TMS zl Module Managing VPNs Figure 4-356. Manage IPsec Wizard > Edit IPsec Policy Window 5. Edit any settings on this window. Then click Next to view the next configuration window, editing any settings on that window. Continue this process until the Configuration Preview window is displayed. 6. Review the configuration settings you have selected. If you want to save the changes as well as apply them, select the Save Configuration check box.
Configuring a VPN on the HP TMS zl Module Managing VPNs Deleting IPsec Policies To delete an IPsec policy or policies, complete the following steps: 1. 2. Navigate to the correct location in the PCM+ navigation tree: • To delete policies from multiple TMS zl Modules, the TMS zl folder • To delete policies from a single module, that module within the folder. In the main configuration window, click TMS - VPN and then click the IPsec tab. Figure 4-357. PCM+ > TMS-VPN > IPsec Window 3.
Configuring a VPN on the HP TMS zl Module Managing VPNs Manage IPsec Wizard Figure 4-358. PCM+ >TMS-VPN > IPsec Window (Manage IPsec Wizard) i. Whichever way you open the wizard, in the first window, select IPsec Policy for Managed Objects and Delete for Actions. ii. Click Next. iii. If you launched the wizard from the TMS zl folder, the Select Devices window is displayed.
Configuring a VPN on the HP TMS zl Module Managing VPNs Figure 4-359. Manage IPsec Wizard > Select Devices iv. Click Next. v. In the window that is displayed, select the IPsec policies that you want to delete. Click the arrow button to move it to the right section. You can hold down [Ctrl] while you click to select multiple policies at once. vi. Click Next.
Configuring a VPN on the HP TMS zl Module Managing VPNs Figure 4-360. Manage IPsec Wizard > Configuration Preview 4. Review the policies that you have selected for deletion. If you want to save the changes as well as apply them, select the Save Configuration check box. If any of the TMS zl Modules is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box. Note that this will cause the participant to reboot.
Configuring a VPN on the HP TMS zl Module Managing VPNs Viewing IP Address Pools You can view information about the IP address pools that you have created for IKE Mode Config. 1. In the PCM+ navigation tree, click the TMS-VPN tab and then the IPsec tab. 2. Click the IP Address Pool Records tab. Figure 4-361.
Configuring a VPN on the HP TMS zl Module Managing VPNs Managing GRE Tunnel Setting You can use the TMS management capabilities of NIM to view, edit, or delete the GRE tunnel settings that have been created on your TMS zl Modules. Viewing GRE Tunnel Settings To view GRE tunnel settings, complete the following steps: 1. In the PCM+ navigation tree, locate and select the TMS zl Module that has the GRE tunnel that you want to view. 2. In the main configuration window, click the TMS - VPN tab.
Configuring a VPN on the HP TMS zl Module Managing VPNs Traffic that is received on the tunnel has this zone as its source zone. Traffic that is routed across the tunnel has this zone as its destination zone. • Source IP Address—the TMS zl Module IP address that acts as the local gateway for the tunnel; the remote tunnel gateway sends GRE traffic to this address. • Destination IP Address—a reachable IP address on the remote tunnel gateway; the TMS zl Module sends GRE traffic to this address.
Configuring a VPN on the HP TMS zl Module Managing VPNs If you want to see more details about the tunnel’s activity, click View in the Traffic Information column. The Traffic Information for window is displayed. Figure 4-363.
Configuring a VPN on the HP TMS zl Module Managing VPNs • Keepalives returned to the other end—The number of keepalives that the TMS zl Module has sent back to the remote tunnel gateway in response to that device’s keepalives (since the last change in status) The Tunnel Statistics table shows statistics for traffic sent and received on the tunnel. You can see the number of bytes and packets sent and received, as well as the tunnel’s average rate in both KBytes per second and packets per second.
Configuring a VPN on the HP TMS zl Module Managing VPNs Figure 4-364. Manage GRE Wizard > Configure GRE Tunnel parameters 6. Edit any settings on this window and click Next. The Configuration Preview window is displayed. 7. Review the settings on the Configuration Preview window. If you want to save the changes as well as apply them, select the Save Configuration check box.
Configuring a VPN on the HP TMS zl Module Managing VPNs Deleting a GRE Tunnel To delete a GRE tunnel, complete the following steps: 1. In the PCM+ navigation tree, locate and select the TMS zl Module that has the GRE tunnel that you want to delete. 2. In the main configuration window, click the TMS - VPN tab. Then click the GRE Tunnels tab and the GRE Tunnels subtab. 3. Right-click the GRE tunnel that you want to delete. 4. In the menu that is displayed, select Delete. Figure 4-365.
Configuring a VPN on the HP TMS zl Module Managing VPNs 6. The Applying Settings window is displayed. To stop the deletion of the GRE tunnel before this action is completed, click Halt. To display a summary, click Summary. To close the window, click Close. Managing Connections Using the TMS management capabilities in NIM, you can view active VPN connections. Clearing VPN Connections You can clear IKEv1 SAs and IPsec SAs (VPN tunnels). When you clear an SA, the TMS zl Module deletes it.
Configuring a VPN on the HP TMS zl Module Managing VPNs Figure 4-367. Status: Manage VPN Connections Window 4. After the connections have been refreshed, click Close. Viewing Active IKE SAs You can view the active IKE security associations (SAs). Follow these steps: 1. In the PCM+ navigation tree, locate and select the TMS zl Module that has the IKE SAs that you want to view. 2. In the main configuration window, click the TMS - VPN tab, the Connections tab, and then the IKEv1 SA tab. 3.
Configuring a VPN on the HP TMS zl Module Managing VPNs Figure 4-368.
Configuring a VPN on the HP TMS zl Module Managing VPNs 1. In the PCM+ navigation tree, locate and select the TMS zl Module that has the active IPsec VPN tunnels that you want to monitor. 2. In the main configuration window, click the TMS - VPN tab, the Connections tab, and then the IPsec VPN Tunnels tab. 3. Select the IPsec VPN Tunnel that you want to view. 4. Move the bottom section of the window up or down as needed to view the IPsec VPN tunnel information.
Configuring a VPN on the HP TMS zl Module Managing VPNs ■ SoftLife Time in Seconds—the number of seconds before the TMS zl Module will begin renegotiating the SA (unless the soft lifetime in KB expires first) ■ HardLife Time in KB—the number of kilobytes that the SA is allowed to carry before it expires ■ SoftLife Time in KB—the number of kilobytes that the SA will carry before the TMS zl Module begins renegotiating the SA (unless the soft lifetime in seconds expires first) ■ Bytes Processed—the numb
Configuring a VPN on the HP TMS zl Module Managing VPNs Manage VPN connections Figure 4-369. PCM+ > TMS-VPN > Connections Window 4. Select Flush IKEv1 SA or Flush IPsec VPN Tunnels. Figure 4-370. Manage VPN Connections 5. Click OK.
Configuring a VPN on the HP TMS zl Module Managing VPNs Figure 4-371. Manage VPN Connections The Status: Manage VPN Connections window is displayed. Figure 4-372. Status: Manage VPN Connections Window 6. 4-478 Click Close.
Configuring a VPN on the HP TMS zl Module Managing VPNs The Manage VPN Connections functionality is one way you can troubleshoot problems with VPN connections that are not being established correctly. For example, if a VPN client establishes an IKE SA but cannot establish the IPsec tunnel, you may want to flush the IKE SA. You can then check your VPN settings and determine if you need to adjust them before the VPN client tries to connect again.
Configuring a VPN on the HP TMS zl Module Exporting and Importing Objects This window displays the IP addresses currently assigned to remote endpoints: • Assigned IP Address—the IP address assigned to the remote endpoint through IKE Mode Config • Peer Address—the remote endpoint’s actual IP address (as it appears on the network through which it connects to the TMS zl Module) • Remote ID Type—the type of ID with which the remote endpoint identifies itself during IKE • Remote ID Data—the remote endpoi
Configuring a VPN on the HP TMS zl Module Exporting and Importing Objects ■ You can select the specific objects that you want to export from the main configuration window in PCM+. Begin at step 1. ■ You can launch the Manage IPsec wizard and select the policy or policies from there. Begin at step 2 on 4-481. 1. Follow these steps to access the windows: a. In the main configuration window, click TMS - VPN > IPsec. b. To export IKE policies, click the IKEv1 Policies tab.
Configuring a VPN on the HP TMS zl Module Exporting and Importing Objects – – c. In the navigation tree, right-click the module’s name and select TMS - VPN > Manage IPsec. Click the Manage IPsec Wizard icon. In the Main Menu window, for Managed Objects, select either IKEv1 policy or IPsec Proposal. For Actions, select Export. Figure 4-374. Manage IPsec Wizard > Manage IPsec Main Menu d. 4-482 Click Next.
Configuring a VPN on the HP TMS zl Module Exporting and Importing Objects Figure 4-375. Manage IPsec Wizard > Export IKEv1 Policies 3. e. Select the objects that you want to export. Click the arrow button to move each one to the Selected IKEv1 Policies or Selected IPsec Proposals list. f. Click Next. The Available Devices list displays all of the TMS zl Modules managed by this PCM+ agent. Select the modules to which you want to export the objects.
Configuring a VPN on the HP TMS zl Module Exporting and Importing Objects Figure 4-376. Manage IPsec Wizard > Select Devices 4. 4-484 Click Next.
Configuring a VPN on the HP TMS zl Module Exporting and Importing Objects Figure 4-377. Manage IPsec Wizard > Export IKEv1 Policies 5. When you are exporting IKEv1 policies, you can customize the settings shown in Figure 4-377. The Available IKEv1 Policies list displays each policy selected for export under each selected module. Select each policy in turn and customize the settings displayed in the right pane.
Configuring a VPN on the HP TMS zl Module Exporting and Importing Objects Figure 4-378. Manage IPsec Wizard > Export IPsec Proposal 6. 4-486 After you have customized the policies or proposals, click Next.
Configuring a VPN on the HP TMS zl Module Exporting and Importing Objects Figure 4-379. Manage IPsec Wizard > Configuration Preview 7. Review the settings in the exported objects. If you want to save the settings as well as apply them, select the Save Configuration check box. If any of the TMS zl Modules is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box. Note that this will cause the participant to reboot.
Configuring a VPN on the HP TMS zl Module Exporting and Importing Objects 8. A window is displayed, showing the setting being applied to the TMS zl Module. When you see that they have been applied successfully, click Close. Importing an IKE Policy or IPsec Proposal To import an IKE policy or IPsec proposal, you must navigate to the TMS zl folder in the PCM+ navigation tree.
Configuring a VPN on the HP TMS zl Module Exporting and Importing Objects 2. Follow these steps to access the windows: a. Expand the TMS zl folder and select the TMS zl Module to which you want to import policies. b. Launch the Manage IPsec wizard in one of two ways: – In the navigation tree, right-click the module’s name and select TMS - VPN > Manage IPsec. – Click the Manage IPsec Wizard icon. c. In the Main Menu window, for Managed Objects, select either IKEv1 Policy or IPsec Proposal.
Configuring a VPN on the HP TMS zl Module Exporting and Importing Objects You can view and select modules managed by another agent by selecting that agent from the drop-down menu. Figure 4-382. Manage IPsec Wizard > Select Devices 4-490 4. Click Next. 5. The Available IKEv1 Policies or Available IPsec Proposals list displays the objects of this type that are configured on the module or modules that you selected in the previous wizard.
Configuring a VPN on the HP TMS zl Module Exporting and Importing Objects Figure 4-383. Manage IPsec Wizard > Select IPsec Proposals 6. Click Next.
Configuring a VPN on the HP TMS zl Module Exporting and Importing Objects Figure 4-384. Manage IPsec Wizard > Import IKEv1 Policies 7. When you are importing IKEv1 policies, you can customize a variety of settings. The Available IKEv1 Policies list displays the imported policies. Select each policy in turn and customize the settings displayed in the right pane. For example, you can change the local gateway settings and local ID to values that are appropriate for this particular module.
Configuring a VPN on the HP TMS zl Module Exporting and Importing Objects Figure 4-385. Manage IPsec Wizard > Import IPsec Proposal 8. After you have customized the policies or proposals, click Next.
Configuring a VPN on the HP TMS zl Module Exporting and Importing Objects Figure 4-386. Manage IPsec Wizard > Configuration Preview 9. Review the settings in the exported objects. If you want to save the settings as well as apply them, select the Save Configuration check box. If any of the TMS zl Modules is a master in a cluster and you want to immediately synchronize the changes, select the Synchronize changes to Participant check box. Note that this will cause the participant to reboot.
Configuring a VPN on the HP TMS zl Module Exporting and Importing Objects When you are ready to apply the configuration, click Next in the Configuration Preview window. 10. A window is displayed, showing the setting being applied to the TMS zl Module. When you see that they have been applied successfully, click Close.
Index A C Access Policies subtab 2-12 Actions 3-2, 3-15 Add Device to HA Cluster 1-59 address group 2-35 address object 2-31 anti-replay window 4-22 Attack 2-44 Attack Settings 2-44 Authentication configuring 1-27 configuring user groups 1-27 deleting user configuration 1-37 deleting user groups 1-32 Firewall/XAUTH users configuration 1-32 viewing 1-11 L2TP users configuration 1-34 viewing 1-12 modifying user configuration 1-37 RADIUS domains managing 1-38 viewing 1-12 RADIUS servers configuring 1-43 view
fragmentation before IPsec 4-23 G GRE configure tunnel 4-326 firewall access policies for 4-337 IPsec over configuration tasks 4-340, 4-373 firewall access policies for 4-371, 4-392 H HA cluster adding a device 1-59 configuration overview 1-46 creating in NIM 1-52 importing 1-57 modifying 1-66 removing keeping configuration on the Master 1-70 with module configuration reversal 1-68 removing a module using NIM 1-63 using the CLI 1-65 using the web browser interface 1-65 synchronizing configuration 1-71 I
policy client-to-site 4-88, 4-276 L2TP, for 4-254 proposal 4-82, 4-211, 4-233, 4-269, 4-355, 4-377 rekey on overflow 4-23 SA lifetime 4-65, 4-96, 4-145, 4-191, 4-224, 4-283, 4-366 view 4-475 site-to-site firewall access policies for 4-194, 4-228 traffic selector 4-220, 4-242, 4-365, 4-387 L L2TP access policies for 4-319 authentication protocol 4-296 configuration tasks 4-253 dial-in user 4-292 user group 4-296 username 4-296 L2TP users configuration 1-34 deleting configuration 1-37 modifying configuration
S SA 4-12 flush 4-476 lifetime, IKE 4-64, 4-78, 4-143, 4-189, 4-208, 4-266, 4-353 lifetime, IPsec 4-65, 4-96, 4-145, 4-191, 4-224, 4-283, 4-366 maximum per policy 4-433 schedule object 2-34 server-to-client value 3-11 service group 2-35 service object 2-32 Settings subtab 2-8, 3-6 Signatures 3-2 Signatures subtab 3-7 SNMP communication configuring parameters on the TMS zl Module 1-6 testing 1-9 SPI 4-12, 4-246, 4-388 static routing for VPNs 4-196, 4-229, 4-251 subject alternative names 4-406 Subtabs Authent
ProCurve 5400zl Switches Installation and Getting Startd Guide Technology for better business outcomes To learn more, visit www.hp.com/go/ © Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
