HP TMS zl Module Security Administrator's Guide
4-104
Configuring a VPN on the HP TMS zl Module
Configure an IPsec Client-to-Site VPN
Table 4-12. Checklist for Access Policies for an IPsec Client-to-Site VPN
Verify Routes for a Client-to-Site VPN
The VPN will not come up unless the TMS zl Module or modules know the
correct routes.
Verify that your modules knows a route or routes to the remote endpoints.
These routes can be a default route, static routes, or routes discovered through
a dynamic routing protocol. The routes’ forwarding interface must be public
interface specified in the Deploy IPsec Remote-Access VPN wizard (or the
local gateway address in the IKE policy).
When Required User Group From
Zone
To Zone Service Source Destination TCP MSS Number
of
policies
Always None Remote SELF IKE (isakmp) 3 or Any 1 — 1
Always None SELF Remote IKE (isakmp) 1 3 or Any — 1
With IKE mode
config
XAUTH user
groups or
None
IKE mode
config
Local Any you
choose
4 2 1356 As many
as you
choose
• With IKE
mode config
• Local
endpoints
initiate
sessions
with remote
None (or
local user
groups)
Local IKE mode
config
Any you
choose
2 4 1356 As many
as you
choose
No IKE mode
config
XAUTH user
groups or
None
Remote SELF Any you
choose
32
1356
As many
as you
choose
• No IKE mode
config
• Local
endpoints
initiate
sessions
with remote
None (or
local user
groups)
Local Remote Any you
choose
2 3 1356 As many
as you
choose
When NAT-T is
used
None Remote SELF NAT-T (ipsec-
nat-t-udp)
3 or Any
1—
1
When NAT-T is
used
None SELF Remote NAT-T (ipsec-
nat-t-udp)
1 3 or Any — 1