Manualshelf

HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
231232233234235236237238239240
4-56
Configuring a VPN on the HP TMS zl Module
Configure an IPsec Client-to-Site VPN
Caution The remote addresses in combination with the local addresses must not
include management traffic to the TMS zl Module. If you violate this rule, you
first must configure a Bypass policy with top priority that selects the manage-
ment traffic, or NIM will lose contact with the module and you will be locked
out of the Web browser interface.
If you do cause NIM to lose contact with the TMS zl Module, follow this
procedure:
1. Access the module and delete the IPsec policy:
If the module has multiple IP addresses in its management-access
zone, you might be able to contact the module’s Web browser inter-
face at one of the other addresses. You can then delete the faulty IPsec
policy from the VPN > IPsec > IPsec Policies window (the policy will
be labeled with the deployment name that you specified in the wiz-
ard).
If you cannot reach the module’s Web browser interface, you can use
the CLI to delete the faulty IPsec policy. Access the host switch CLI
and enter these commands:
hostswitch(config)# services <slot ID> name tms-module
hostswitch(tms-module-<slot ID>)# config
hostswitch(tms-module-<slot ID>:config) no ipsec policy
<policy name>
Replace <slot ID> with the ID of the slot in which the TMS zl
Module is installed. Replace <policy name> with the deployment
name that you specified in the wizard. (You can also use the show
ipsec policy command to view the name.)
2. NIM should now be able to contact the TMS zl Module. It is best practice
to synchronize the TMS properties before you continue configuring.
3. You should also delete the IKEv1 policy and IPsec proposal that were
applied before the faulty IPsec policy was applied. Otherwise, if you try
to use the same deployment name when you run the wizard again, you
will receive an error.
Note In general, take great care when specifying Any. Even if you do not select
management traffic, you might inadvertently block necessary traffic. For
example, if you select a local subnet for the local addresses, Any for the
protocol, and Any for the remote addresses, the TMS zl Module will no longer