HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

191

192

193

194

195

196

197

198

199

200

4-21

Configuring a VPN on the HP TMS zl Module

IPsec VPNs

The remote client requests an IP address and default gateway from the IPsec

Remote Access Server (IRAS) on the TMS zl Module between IKE phase 1 and

phase 2 negotiations. It may also request addresses for DNS and WINS servers

that will resolve domain names or the user while on the private network. The

users appear as internal users on the network once they have received the IKE

mode config parameters.

When configuring IKE mode config, follow these guidelines.

■ You can configure IKE config mode only for an IPsec policy that specifies

Auto (with IKEv1) for Key Management and that specifies a client-to-site

IKEv1 policy. Each IKEv1 client-to-site policy supports only one IP

address pool.

■ Microsoft Windows VPN clients and IPSecuritas for Macintosh VPN cli-

ents do not support the TMS zl Module implementation of IKE mode

config.

■ When configuring the IPsec policy for IKE mode config, on the traffic

selector:

• Local Address must be the local addresses behind the TMS zl Module.

You must specify these addresses manually instead of selecting a

named object or Any.

• Remote Address must be the IKE mode config addresses.

■ As always, you must create access policies that permit the traffic that the

remote VPN endpoints send over the VPN tunnel. The source zone for

these policies is the IKE mode config zone.

■ When you configure IKE mode config in the IPsec policy, IRAS IP Address/

Mask is the IP address that the TMS zl Module uses to route traffic from

the IKE mode config addresses. This address and associated subnet must

be unique and not part of a TMS VLAN. A virtual interface will be created

and associated with this subnet.

■ The address ranges for IKE mode config must be in the same subnet as

the IRAS IP address. These ranges are also configured in the IPsec policy.

Advanced IPsec Features

The TMS zl Module supports these advanced features:

■ IP compression

■ Customizable anti-replay window size

■ Extended sequence number

■ Re-key on sequence number overflow

■ Persistent tunnels