Manualshelf

HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
391392393394395396397398399400
4-222
Configuring a VPN on the HP TMS zl Module
Configuring an IPsec Site-to-Site VPN with IKE
1. Access the module and delete the IPsec policy:
If the module has multiple IP addresses in its management-access
zone, you might be able to contact the module’s Web browser inter-
face at one of the other addresses. You can then delete the faulty IPsec
policy from the VPN > IPsec > IPsec Policies window (the policy will
be labeled with the deployment name that you specified in the wiz-
ard).
If you cannot reach the module’s Web browser interface, you can use
the CLI to delete the faulty IPsec policy. Access the host switch CLI
and enter these commands:
hostswitch(config)# services <slot ID> name tms-module
hostswitch(tms-module-<slot ID>)# config
hostswitch(tms-module-<slot ID>:config) no ipsec policy
<policy name>
Replace <slot ID> with the ID of the slot in which the TMS zl
Module is installed. Replace <policy name> with the deployment
name that you specified in the wizard. (You can also use the show
ipsec policy command to view the name.)
2. NIM should now be able to contact the TMS zl Module. It is best practice
to synchronize the TMS properties before you continue configuring.
Caution Typically, the local addresses are internal addresses on the site’s private
network while the local gateway address (which you configured in previous
window) is the TMS zl Module’s public or external address. If, however, for
whatever reason the set of local addresses specified here includes the local
gateway address, you must create a Bypass IPsec policy to exclude IKE traffic
to and from the module from the VPN. Otherwise the VPN cannot be estab-
lished.
Caution Also take great care when specifying Any. You might inadvertently block
necessary traffic. For example, if you select a subnet for the local addresses,
Any for the protocol, and Any for the remote addresses, the TMS zl Module will
no longer allow those local endpoints to send any traffic except over the VPN.
You might need to create Bypass policies.
Note Finally, if the local traffic that will be sent over the VPN is also selected for
NAT, you must create a NAT exclusion policy.
3. For Proposal, select a previously configured IPsec proposal.