Manualshelf

HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
271272273274275276277278279280
4-95
Configuring a VPN on the HP TMS zl Module
Configure an IPsec Client-to-Site VPN
gateway address, you must create a Bypass IPsec policy to exclude IKE traffic
to and from the module from the VPN. Otherwise the VPN cannot be estab-
lished.
Caution Also take great care when specifying Any. You might inadvertently block
necessary traffic. For example, if you select a subnet for the local addresses,
Any for the protocol, and Any for the remote addresses, the TMS zl Module will
no longer allow those local endpoints to send any traffic except over the VPN.
You might need to create Bypass policies.
Note Finally, if the local traffic that will be sent over the VPN is also selected for
NAT, you must create a NAT exclusion policy.
a. For Remote Port, type a specific port number or leave the box empty
(which allows traffic to all ports). Typically, you should leave the box
empty.
b. If you selected ICMP for the protocol, for ICMP Type, leave Any.
Selecting a specific ICMP type requires you to use manual keying,
which is not typically an option for client-to-site VPNs.
3. For Proposal, select a previously configured IPsec proposal.
The IPsec proposal specifies the IPsec mode, IPsec protocol, and the
authentication and encryption algorithms that secure the VPN connec-
tion. See “Create an IPsec Proposal for a Client-to-Site VPN” on page 4-82.
4. Click Next.
5. For Key Exchange Method, select, Auto (with IKEv1).