HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

391

392

393

394

395

396

397

398

399

400

4-221

Configuring a VPN on the HP TMS zl Module

Configuring an IPsec Site-to-Site VPN with IKE

– IP Protocols—Select one of these Layer 3 protocols, which are

listed by their IANA IP Protocol numbers.

Service objects and service groups will not appear in this list.

b. For Local Address, specify the IP addresses of all local endpoints that

are allowed to send traffic over the VPN (indicated by 2 in the figure).

Do one of the following to specify addresses:

– Select Any to permit any IP address.

– Select the single-entry IP, range, or network address object that

you configured for local endpoints. (An address object is not valid

for a transport-mode VPN.)

– Manually type an IP address, an IP address range, or a network

address in CIDR format.

c. Local Port is present if you selected TCP or UDP for Protocol. Type a

specific port for the service to which remote clients are allowed

access or leave the field blank (which allows traffic to any port).

d. For Remote Address, specify the addresses for all remote endpoints

allowed to send and receive traffic over the VPN (indicated by 4 in

the figure).

Do one of the following to specify remote addresses:

– Select Any to permit any IP address.

– Select the single-entry IP, range, or network address object that

you configured for endpoints behind the remote VPN gateway.

– Manually type an IP address, an IP address range, or a network

address in CIDR format.

e. Remote Port is present if you selected TCP or UDP for Service. Type the

port number for the service that you want to allow local endpoints to

access in the remote network. Or leave the field blank (which allows

traffic to any port).

f. If you selected ICMP for the protocol, for ICMP Type, select Any.

If you select Echo or Timestamp, the tunnel must use manual keying

instead of IKE. See “Configuring an IPsec Site-to-Site VPN with Man-

ual Keying” on page 4-230.

Caution If your traffic selector will include management traffic to a TMS zl Module,

you first must configure Bypass policy on that module with top priority that

selects the management traffic. Otherwise, NIM will lose contact with the

module, and you will be locked out of the Web browser interface.

If you do cause NIM to lose contact with a TMS zl Module, follow this

procedure: