HP TMS zl Module Security Administrator's Guide
4-196
Configuring a VPN on the HP TMS zl Module
Configuring an IPsec Site-to-Site VPN with IKE
Verify Routes for TMS zl Modules in the IPsec
Site-to-Site VPN
Verify that the following routes exist on each TMS zl Module in the site-to-site
VPN. These routes can be static routes or routes discovered through a dynamic
routing protocol:
■ A route to the other modules in the VPN
The route’s forwarding interface must be the VLAN that you specified for
the gateway on this module in the wizard (or the interface associated with
the specified IP address).
This can be a default route.
■ A route to the endpoints behind the other modules; the next hop must be
the same as in the route to the other modules
If the route to the other modules also includes the endpoints (for example,
it is a default route), a separate route is not required.
For example, the remote gateway IP address is 192.168.1.22. The remote
endpoints behind the gateway are in subnet 10.1.55.0/24. In this example, a
default route through 192.168.115.1, the local router in the path to these
subnets, could fulfill the requirements for both routes. However, to better
illustrate the necessary routes, the figure shows two specific routes. Note that,
no matter how you set up the routes, the local VPN gateway configured in the
IKE policy must be 192.168.115.71, which is the module IP address on the
forwarding VLAN for these routes. (For more information about configuring
routing on the TMS zl Module, see the HP Threat Management Services zl
Module Management and Configuration Guide.)
Always Remote SELF IKE (isakmp) 3 1 — 1
Always SELF Remote IKE (isakmp) 1 3 — 1
Always Remote Local Any you choose 4 2 1356 As many
as you
choose
Always Local Remote Any you choose 2 4 1356 As many
as you
choose
When NAT-T
is used
Remote SELF NAT-T (ipsec-
nat-t-udp)
31 —1
When NAT-T
is used
SELF Remote NAT-T (ipsec-
nat-t-udp)
13 —1
When
Required
From Zone To Zone Service Source Destination TCP MSS Number
of
policies