HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

281

282

283

284

285

286

287

288

289

290

4-108

Configuring a VPN on the HP TMS zl Module

Configuring an IPsec Site-to-Site VPN with IKE

Create Named Objects for the VPN (Optional)

You might want to configure the named objects indicated in Table 4-13 (for a

two-module VPN) or in Table 4-14 (for a three-module VPN). If you do config-

ure the objects, do so on all TMS zl Modules involved in the VPN. (You can, of

course, configure other objects that are appropriate for your environment.)

For your reference, this table includes the location where you will specify

these named objects later. (The configuration instructions in the following

sections will indicate when you actually need to specify each object.) The

tables also include a reference to numbers in the figures. The number indicates

the IP address for that named object in an example network. (See Chapter 6:

“Configuring the TMS zl Module Firewall” for step-by-step instructions for

configuring objects.)

Table 4-13. Possible Named Objects for an IPsec Site-to-Site VPN (Two Modules

Example

Figure

Reference

Named Object Type Named Object Description Location Where the Named

Object is Specified

1 Single-entry IP address object The IP address for the VPN

gateway on the Site 1 module

Firewall access policies on

both modules—Source or

Destination for policies that

permit IKE traffic

2 Single-entry IP, range, or

network address objects

The IP addresses of Site 1

endpoints that are allowed to

send traffic over the VPN

• Local Network Address on

Site 1 in the Deploy IPsec

Site-to-Site VPN wizard

• Firewall access policies on

both modules—Source or

Destination for policies that

permit traffic sent across

the VPN

3 Single-entry IP address object The IP address for the VPN

gateway on the Site 2 module

Firewall access policies on

both modules—Source or

Destination for policies that

permit IKE traffic

4 Single-entry IP, range, or

network address objects

The IP addresses of Site 2

endpoints that are allowed to

send traffic over the VPN

• Local Network Address on

Site 2 in the Deploy IPsec

Site-to-Site VPN wizard

• Firewall access policies on

both modules—Source or

Destination for policies that

permit traffic sent across

the VPN