HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

311

312

313

314

315

316

317

318

319

320

4-136

Configuring a VPN on the HP TMS zl Module

Configuring an IPsec Site-to-Site VPN with IKE

• Click within the Local Network Address field and type a value. You can

type an IP address, range of IP addresses (first IP address-last IP

address), or subnet (network address/prefix length).

16. If the Local Port setting is available, you can type a specific port for a

service to which endpoints at Site 2 are allowed access. Or you can leave

the field blank (which allows traffic to any port).

Caution The wizard combines the local network settings for both sites to produce a

traffic selector for the VPN. For example, the Site 1 module selects incoming

traffic between the Site 1 local network and the Site 2 local network for the

VPN, and vice versa. Typically, the selected traffic does not include manage-

ment traffic for the TMS zl Modules themselves. If, however, it does, you first

must configure Bypass policies with top priority that select the management

traffic. Otherwise, NIM will lose contact with the module, and you will be

locked out of the Web browser interface.

If you do cause NIM to lose contact with a TMS zl Module, follow this

procedure:

1. Access the module and delete the IPsec policy:

• If the module has multiple IP addresses in its management-access

zone, you might be able to contact the module’s Web browser inter-

face at one of the other addresses. You can then delete the faulty IPsec

policy from the VPN > IPsec > IPsec Policies window (the policy will

be labeled with the deployment name that you specified in the wiz-

ard).

• If you cannot reach the module’s Web browser interface, you can use

the CLI to delete the faulty IPsec policy. Access the host switch CLI

and enter these commands:

hostswitch(config)# services <slot ID> name tms-module

hostswitch(tms-module-<slot ID>)# config

hostswitch(tms-module-<slot ID>:config) no ipsec policy

Replace <slot ID> with the ID of the slot in which the TMS zl

Module is installed. Replace <policy name> with the deployment

name that you specified in the wizard. (You can also use the show

ipsec policy command to view the name.)

2. NIM should now be able to contact the TMS zl Module. It is best practice

to synchronize the TMS properties before you continue configuring.