HP TMS zl Module Security Administrator's Guide
4-93
Configuring a VPN on the HP TMS zl Module
Configure an IPsec Client-to-Site VPN
– Any—Any IP protocol. Select this option when you want to select
all traffic between local and remote endpoints.
– TCP or UDP—Select this option in conjunction with a local port to
allow remote clients to access only specific services in the local
network.
– ICMP—Select this option when you want to select only ICMP
traffic.
– IP Protocols—Select one of these Layer 3 protocols, which are
listed by their IANA IP Protocol numbers.
Service objects and service groups will not appear in this list.
b. For Local Address, specify the IP addresses for all local endpoints to
which remote users are allowed access (indicated by 2 in the example
figure).
Do one of the following to specify addresses:
– Typically, manually type an IP address, IP address range, or
network address in CIDR format.
The local addresses should be internal addresses on your private
network.
– Select the single-entry IP, range, or network address object that
you created earlier for local endpoints.
An address object is not valid if you plan to configure IKE mode
config.
– Select Any to permit any IP address.
Any is not valid if you plan to configure IKE mode config.
c. Local Port is present if you selected TCP or UDP for Protocol. Type the
port number for the service to which you want to allow remote users
access. Leave the box empty to allow traffic to all ports.
d. The Remote Address setting depends on whether you will use IKE
mode config or not.
If you will use IKE mode config, specify the same addresses that you
will configure for the IKE mode config pool (indicated by 4 in the
example figure):
– Manually type an IP address, IP address range, or network
address in CIDR format
– Select a single-entry IP, range, or network address object.
If you will not use IKE mode config, you must match the exact value
that the remote clients send for their local IP address (indicated by 3
in the example figure). Some clients always send their actual IP
address. In this case, you must specify this single address and create