Manualshelf

HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
201202203204205206207208209210
4-25
Configuring a VPN on the HP TMS zl Module
IPsec VPNs
However, sometimes a device in between the two endpoints of a VPN tunnel
performs NAT on packets that have already been encapsulated for the tunnel.
As a result of this alteration, packets will fail integrity checks during IKE. In
this case, NAT Traversal (NAT-T) is required to notify the tunnel endpoints
that the IP addresses will be altered.
Figure 4-11 shows an environment that requires NAT-T. In this example, you
have configured a VPN to allow remote users to access devices in ZONE1
(VLAN 30) securely over the Internet. The remote client is behind a NAT
device, so NAT-T is required. (This example would also apply if the module or
both the module and the client were behind NAT devices.)
The TMS zl Module automatically establishes NAT-T when required (you do
not need to configure any settings). Note, however, that you must create
firewall access policies that allow NAT-T traffic in addition to other access
policies required for the VPN. This example shows only the firewall access
policies for NAT-T; you must create other policies to permit IKE traffic, L2TP
traffic, and traffic sent over the VPN.
Note For a VPN established with manual keying, NAT-T is not required even when
one or both of the tunnel endpoints have NAT performed on their traffic.
Figure 4-11. NAT Traversal