Manualshelf

HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
401402403404405406407408409410
4-228
Configuring a VPN on the HP TMS zl Module
Configuring an IPsec Site-to-Site VPN with IKE
Create Access Policies for an IPsec Site-to-Site VPN
that Uses IKE
You must configure appropriate access policies on each TMS zl Module on
which you configured a site-to-site VPN.
Before you begin configuring firewall access policies on a module, determine
the zones on which traffic from the remote gateway arrives. Typically, this is
the External zone, but it could be another zone.
You should also determine the zone for local endpoints allowed on the VPN.
This might be the Internal zone or another zone. If multiple zones are allowed
to access the VPN, you must create policies for each of these zones.
Figure 4-153 shows zones for an example IPsec site-to-site VPN.
Figure 4-153. Example IPsec Site-to-Site VPN (with Zones)
Table 4-24 lists the necessary access policies; the numbers in the Source and
Destination columns refer to the example figure above. (Note that all of these
policies are typically configured for the None user group. However, if local
users log in through the module, then the access policies with the local zone
as the source zone would need to be configured for their user groups.)
For access policies that permit the traffic sent over the tunnel, you should
consider setting the TCP MSS to a value lower than the typical MSS used in
your system—particularly, when IP fragmentation is disabled. Otherwise, the
addition of the IPsec and IP delivery headers might make the packets too large
to be transmitted. Table 4-24 suggests a conservative value for the TCP MSS
when the MTU is 1500. For more information on the TCP MSS, see Chapter 6:
“Configuring the TMS zl Module Firewall.”