HP TMS zl Module Security Administrator's Guide
4-106
Configuring a VPN on the HP TMS zl Module
Configuring an IPsec Site-to-Site VPN with IKE
If you selected RSA or DSA signatures for the IKE authentication method, you
must install certificates on the TMS zl Module or modules. See “Manage
Certificates” on page 4-394.
Otherwise, you are finished configuring the VPN (on the module side). How-
ever, you can configure global settings if you want. See “Configure Global
IPsec Settings” on page 4-429.
Configuring an IPsec Site-to-Site VPN
with IKE
Typically, you will configure an IPsec site-to-site VPN using IKE as explained
in this section. NIM provides several tools for this configuration.
You can use the Deploy IPsec Site-to-Site wizard to simultaneously configure
the IKE and IPsec settings required for all gateways involved in the site-to-site
VPN, speeding the configuration and eliminating problems from incompatible
settings. You can use this wizard in this way if all gateways in the site-to-site
VPN are TMS zl Modules that are managed by this PCM+/NIM server.
You can also use this wizard to create a site-to-site VPN between a TMS zl
Module and any IKEv1 and IPsec-compliant gateway. However, in this case,
the wizard only configures the settings on the TMS zl Module; you must
configure the remote endpoint separately.
In either case, see “Configuring an IPsec Site-to-Site VPN Between TMS zl
Modules—Deploy IPsec Site-to-Site VPN Wizard” on page 4-107.
You can also create a site-to-site VPN by configuring IKE policies, IPsec
proposals, and IPsec policies separately using the Manage IPsec wizard. See
“Configuring an IPsec Site-to-Site VPN Between a TMS zl Module and Non-
TMS Gateway—Manage IPsec Wizard” on page 4-197.
Note The TMS zl Modules also support manual keying, which is a less secure option
for establishing an IPsec VPN. However, manual keying is required for VPNs
that carry only ICMP Echo or ICMP Timestamp traffic. See “Configuring an
IPsec Site-to-Site VPN with Manual Keying” on page 4-230.