Manualshelf

HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
271272273274275276277278279280
4-102
Configuring a VPN on the HP TMS zl Module
Configure an IPsec Client-to-Site VPN
Create Access Policies for IPsec Client-to-Site VPNs
You must configure firewall access policies to allow the IKE traffic and the
traffic between the remote clients and the private network. This section gives
you checklists of access policies that are required for client-to-site VPNs. To
learn how to create the access policies, refer to Chapter 6: “Configuring the
TMS zl Module Firewall.” Note that you must create these policies on each
TMS zl Module on which you configured the VPN.
Before you begin configuring firewall access policies, determine the zone on
which traffic from the remote endpoints arrives. This is the zone associated
with the TMS VLAN on which local VPN gateway address is configured. Often,
this is the External zone, but it could be another zone.
Then, determine the zone on which traffic from remote endpoints arrives after
the endpoints have been assigned IKE mode config addresses (you selected
this zone when you created the IPsec policy or completed the IPsec Remote
Access VPN Wizard). Again, this zone can be the External zone or another
zone.
You should also determine the zone for local endpoints that are allowed on
the VPN. This might be the Internal zone or another zone. The instructions
below will refer to this zone as the “local zone.” If VPN clients are allowed to
access multiple zones, you must create policies for each of these zones.
Figure 4-63 shows these zones for typical IPsec client-to-site VPNs.