HP TMS zl Module Security Administrator's Guide
4-229
Configuring a VPN on the HP TMS zl Module
Configuring an IPsec Site-to-Site VPN with IKE
Note The value for TCP MSS in the table is only a suggestion. You should determine
the best setting for your environment.
Table 4-24. Checklist for Access Policies for an IPsec Site-to-Site VPN That Uses
IKE
Verify Routes for an IPsec Site-to-Site VPN That Uses
IKE
Verify that the following routes exist on each module on which you configured
a site-to-site VPN. These routes can be static routes or routes discovered
through a dynamic routing protocol:
■ A route to the remote VPN gateway
The route’s forwarding interface must be the interface with the IP address
that you specified as the local gateway address in the IKE policy.
This can be a default route.
■ A route to the remote endpoints for which the next hop is the same as in
the route to the remote gateway
If the route to the remote gateway is the default route, a separate route is
not required.
Figure 4-154 shows an example site-to-site VPN. The remote gateway IP
address is 192.168.1.22. The remote endpoints behind the gateway are in
subnet 10.1.55.0/24. In this example, a default route through 192.168.115.1, the
local router in the path to these subnets, could fulfill the requirements for both
When
Required
From Zone To Zone Service Source Destination TCP MSS Number
of
policies
Always Remote SELF IKE (isakmp) 3 1 — 1
Always SELF Remote IKE (isakmp) 1 3 — 1
Always Remote Local Any you choose 4 2 1356 As many
as you
choose
Always Local Remote Any you choose 2 4 1356 As many
as you
choose
When NAT-T
is used
Remote SELF NAT-T (ipsec-
nat-t-udp)
31 —1
When NAT-T
is used
SELF Remote NAT-T (ipsec-
nat-t-udp)
13 —1