HP TMS zl Module Security Administrator's Guide
4-195
Configuring a VPN on the HP TMS zl Module
Configuring an IPsec Site-to-Site VPN with IKE
Note The value for TCP MSS in the table is only a suggestion. You should determine
the best setting for your environment.
Table 4-20. Checklist for Access Policies for an IPsec Site-to-Site VPN That Uses
IKE
When
Required
From Zone To Zone Service Source Destination TCP MSS Number
of
policies
Site 1 or Hub Module
Always Remote SELF IKE (isakmp) 3 1 — 1
Always SELF Remote IKE (isakmp) 1 3 — 1
Always Remote Local Any you choose 4 2 1356 As many
as you
choose
Always Local Remote Any you choose 2 4 1356 As many
as you
choose
When NAT-T
is used
Remote SELF NAT-T (ipsec-
nat-t-udp)
31 —1
When NAT-T
is used
SELF Remote NAT-T (ipsec-
nat-t-udp)
13 —1
Site 2 or Spoke 1 Module
Always Remote SELF IKE (isakmp) 3 1 — 1
Always SELF Remote IKE (isakmp) 1 3 — 1
Always Remote Local Any you choose 4 2 1356 As many
as you
choose
Always Local Remote Any you choose 2 4 1356 As many
as you
choose
When NAT-T
is used
Remote SELF NAT-T (ipsec-
nat-t-udp)
31 —1
When NAT-T
is used
SELF Remote NAT-T (ipsec-
nat-t-udp)
13 —1
Spoke 2 Module