HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

201

202

203

204

205

206

207

208

209

210

4-29

Configuring a VPN on the HP TMS zl Module

Configure an IPsec Client-to-Site VPN

You can, of course, configure other objects that are appropriate for your

environment. And you might choose not to configure some of the objects. For

example, you might not know the actual IP address of every remote VPN client,

particularly when remote users connect through the Internet. Or the IP

addresses might not be contiguous, preventing you from placing them in a

single-entry object (which is required for address objects used in VPNs).

Table 4-3. Possible Named Objects for Client-to-Site VPNs

Example

Figure

Reference

Named Object Description Named Object Type Location Where the Named

Object is Specified

1 The TMS zl Module IP address

that acts as the local VPN

gateway

Single-entry IP address object Source or Destination for firewall

access policies that permit IKE

traffic

2 The IP addresses of local

endpoints that remote users are

allowed to access over the VPN

Single-entry or multiple-entry IP,

range, or network address

objects

*Must be single-entry if you plan

to specify it for the IPsec Local

Address

• Source or Destination for

firewall access policies that

permit traffic sent across the

VPN

• If IKE mode config is not used,

Local Address in the IPsec

policy traffic selector

3 The actual IP addresses of

remote VPN clients

Single-entry or multiple-entry IP,

range, or network address object

*Must be single-entry if you plan

to specify it for the IPsec Local

Address

• Source or Destination for

firewall access policies that

permit IKE traffic

• If IKE mode config is not used:

– Remote Address in the

IPsec policy traffic selector

– Source or Destination for

firewall access policies

that permit traffic sent

across the VPN

4 The virtual IP addresses assigned

to remote VPN clients using IKE

mode config

Single-entry IP, range, or network

address objects

• Remote Address in the IPsec

policy traffic selector

• Source or Destination for

firewall access policies that

permit traffic sent across the

VPN